Charles已经有一段时间没更新了,因为工作关系几乎每天都要用到它来抓包。
Charles很人性,它虽然是收费软件,但即使不购买也能长期使用,并且功能上不会缺斤短两。唯一要付出的代价是每次使用时间不能超过 30 分钟,并且启动时将会有 10 秒种的延时。秉着研究目的来学习它的注册逻辑。
首先,根据界面的点击事件,跟踪到RegisterFrame类,很明显继承了JDialog:
public class RegisterFrame extends JDialog {
...
public RegisterFrame(Frame var1) {
super(var1, true);
this.setTitle("Register Charles");
... //省略无用代码
this.bRegister = new JButton("Register");
this.bCancel = new JButton("Cancel");
...
this.bCancel.addActionListener(new jumq(this));
this.bRegister.addActionListener(new oNCJ(this));
... //省略无用代码
}
}
然后,我们在这里看到了bRegister按钮的监听事件,继续跟进oNCJ类:
public final void actionPerformed(ActionEvent var1) {
String var4 = RegisterFrame.PpPw(this.PpPw).getText().trim();
String var2 = RegisterFrame.wAkp(this.PpPw).getText().trim();
if(var4.length() > 0 && var2.length() > 0) {
String var3;
if((var3 = Dheu.PpPw(var4, var2)) != null) {
ExtendedJOptionPane.PpPw(this.PpPw, var3, "Charles Registration", 2);
return;
}
ExtendedJOptionPane.PpPw(this.PpPw, "Thank you for registering. Charles will now close. Please start Charles again to continue.", "Charles Registration", 1);
CharlesContext var5;
(var5 = CharlesContext.getInstance()).getConfiguration().getRegistrationConfiguration().setName(var4);
var5.getConfiguration().getRegistrationConfiguration().setKey(var2);
var5.exit(0, true);
}
}
注意这里有一个明显的关键性判断:Dheu.PpPw(var4, var2)) != null,在之前的文章分析过,如果直接删掉这个判断的话会导致异常,所以需要进一步跟进Dheu类。这个类代码较多,就不全贴了,只挑重点的代码进行分析。
public static String PpPw(String var0, String var1) {
Dheu var3;
try {
var3 = new Dheu(var0, var1);
} catch (LicenseException var2) {
return var2.getMessage();
}
wAkp = var3;
return null;
}
接下来,根据前面的调用来到这个方法,虽然最终返回了null,但是很明显在中途被wAkp这个家伙给动过什么手脚。在搜索下wAkp相关的调用:
private static void PpPw(Dheu var0) {
wAkp = var0;
}
public static boolean PpPw() {
Dheu var0 = wAkp;
return wAkp.WPsu;
}
public static void wAkp() {
wAkp = new Dheu();
}
public static String WPsu() {
Dheu var0 = wAkp;
switch(jumq.PpPw[var0.IqPv.ordinal()]) {
case 1:
return var0.SWIF;
case 2:
return var0.SWIF + " - Site License";
case 3:
return var0.SWIF + " - Multi-Site License";
default:
return var0.SWIF;
}
}
还是挑重点的方法来看,这里有个布尔型的值PpPw(),我们直接让它返回true就可了。然后下面的String类型WPsu()方法,根据一个值来判断License的类型。我们不管那么多,直接了当的将方法返回值改成我们自己的string。
private String Ifzu() {
switch(jumq.PpPw[this.IqPv.ordinal()]) {
case 1:
return this.SWIF;
case 2:
return this.SWIF + " - Site License";
case 3:
return this.SWIF + " - Multi-Site License";
default:
return this.SWIF;
}
}
再往下一点点,有一个几乎一模一样的函数,为了安全,同样把它的返回值也一并改掉。
篡改完成后大概就是这样:
private static void PpPw(Dheu var0) {
wAkp = var0;
}
public static boolean PpPw() {
Dheu var0 = wAkp;
return true;
}
public static void wAkp() {
wAkp = new Dheu();
}
public static String WPsu() {
return "破解 by John_Hao";
}
public static String PpPw(String var0, String var1) {
return null;
}
private boolean SWIF() {
return this.WPsu;
}
private String Ifzu() {
return "破解 by John_Hao";
}
接下来就是重新编译一下java文件,这是如果直接编译会发现报了一堆的错误,例如找不到LicenseType、乱码、LicenseException异常捕获错误等等,
// 要去掉中间的,直接改为[]
paramString1.replaceAll("[�����������������������]", " ");
未报告的异常错误LicenseException,这块要把这些异常干掉
错误: 找不到符号
全部修改好之后,就可以顺便的编译了。需要注意的是我们的目标文件是在com.xk72.charles包下,直接编译会提示找不到符号。解决方法也很简单,用-cp命令指定目录就可以了。
//举例
$ javac -cp /Users/johnhao/Downloads/anti/charles/ /Users/johnhao/Downloads/anti/charles/com/xk72/charles/Dheu.java
最后一步就是将编译好的class文件重新打到jar包中去。同样因为package目录的原因,我们需要创建一个同名的目录等级/com/xk72/charles/来存放修改好后的class文件。
//将class文件打包进jar包中
ar uf charles.jar com/xk72/charles/Dheu.class
覆盖掉原始的jar文件,重新运行Charles,测试成功!分别测试了Mac和Win7 64位
破解文件链接:
https://pan.baidu.com/s/1wl2m9a2hhJwTUJ7sCiKyVg
密码: znpg
关注微信获取更多内容
扫描二维码,加入我的星球
附4.2.5版本更新日志
Version 4.2.5
7 April 2018
Major bug fixes and minor improvements.
Improvements:
Hostname filter added to Structure view
Websockets: added right-click to export all messages as individual files
SSL Proxying support extended to Port Forwarding and non-HTTP SOCKS traffic
Charles no longer prevents sleep on macOS
SOCKS TLS connections now get a host name instead of just an IP address
Many internal improvements to the minutiae of proxying, including reduced usage of chunked responses when they weren't warranted, and improved Expect/Continue behaviour.
Bug fixes:
Map Remote and Map Local bugs fixed that prevents correct https -> http and http -> https mappings
Authentication viewers fixes to display of bearer tokens and similar
HTTP 2 over Reverse Proxy improved
cURL-compatible URL creation fixed for HTTP 2
Windows: some native code loading issues fixed, which prevented Charles from automatically controlling the Windows Proxy
网友评论