IDEA破解原理学习
背景
我下载的 IntelliJ IDEA 2023.2.1 (Ultimate Edition)版本,采用这篇文章中的方式 IDEA 激活到 2099 年。
激活的基本思路是采用 Java Agent 技术拦截注册验证逻辑,绕过服务端,告诉客户端自己是合法的。本文主要分析拦截了哪些点,做了什么修改,但是不包括激活注册码的生成。
初步分析
从教程中看核心的一步是增加了 IDEA JVM 启动时参数-javaagent:/Users/[user]/tools/jihuo-tool-2099/active-agt-idea.jar,可以确定采用的是 Java Agent 拦截技术。
为了搞清楚 Java Agent 中做了什么,使用 JD-GUI 反编译 jihuo-tool-2099 目录下 jar 文件。
从反编译后的源文件看,使用的是 janetfilter 包。
从网上搜索了一下,janetfilter 来自https://ja-netfilter.com,来自一位@pengzhile的大佬,但是这个网站貌似已经不能访问了。知乎有一个[大神](https://zhuanlan.zhihu.com/p/494706735)从框架和字节码层面对代码做了比较细致的分析。
github 上 ja-netfilter 代码仓库插件部分不全,gitee 上找到一个比较全的(@pengzhile 大神的),于是 fork 出来几个项目看源码。
序号 | 模块 | 介绍 |
---|---|---|
1 | https://gitee.com/shidongwa/ja-netfilter | JVM Options 加载的 java agent |
2 | https://gitee.com/shidongwa/plugin-power | 插件:激活验证码时非对称加解密 |
3 | https://gitee.com/shidongwa/plugin-dns | 插件:屏蔽 jetbrains.com |
4 | https://gitee.com/shidongwa/plugin-url | 插件:屏蔽https://account.jetbrains.com/lservice/rpc/validateKey.action |
5 | config 目录下的*.conf | 插件配置包括 url,dns 和 power |
进阶
Java Agent
这部分对了解 Java Agent 的同学来说比较好理解,在 IDEA 启动时 main 主流程执行前通过 Java Agent premain 加载 ja-netfilter 框架和插件;注册码激活阶段,url、dns 和 power 插件 hook 点产生拦截,改写原有的验证逻辑。这部分功能还是比较透明的,主要逻辑在 ja-netfilter 项目中。了解 Java Agent、ClassFileTransformer、ASM 的同学来说不是难事。
hook 点
主要定义在 plugin-url,plugin-dns 和 plugin-power 三个项目中。
插件 | hook 点 | hook 逻辑简介 |
---|---|---|
url | sun/net/www/http/HttpClient.openServer | 验证注册码时拦截返回 SocketTimeoutException |
dns | java/net/InetAddress.getAllByName 和 isReachable | 拦截返回 java.net.UnknownHostException 和 jetbrains.com 域名不可达 |
power | java/math/BigInteger.oddModPow | 拦截幂指数取模方法,非对称加解密用到 |
拦截域名和激活网站的访问
以 url 插件为例,hook 逻辑拦截了 sun/net/www/http/HttpClient 类 openServer 调用。从 HttpClient 类中获取 url 属性,作为参数调用 URLFilter.testURL 方法,如果和 url.conf 配置的验证地址匹配,直接返回 SocketTimeoutException 异常终止检查流程。假设我是正版用户,现在本地上不了网,你总不能禁止我用 IDEA 吧?
采用 ASM 在方法入口处插入字节码
@Override
public String getHookClassName() {
return "sun/net/www/http/HttpClient";
}
@Override
public byte[] transform(String className, byte[] classBytes, int order) throws Exception {
URLFilter.setRules(rules);
ClassReader reader = new ClassReader(classBytes);
ClassNode node = new ClassNode(ASM5);
reader.accept(node, 0);
for (MethodNode mn : node.methods) {
if ("openServer".equals(mn.name) && "()V".equals(mn.desc)) {
InsnList list = new InsnList();
list.add(new VarInsnNode(ALOAD, 0));
list.add(new FieldInsnNode(GETFIELD, "sun/net/www/http/HttpClient", "url", "Ljava/net/URL;"));
list.add(new MethodInsnNode(INVOKESTATIC, "com/janetfilter/plugins/url/URLFilter", "testURL", "(Ljava/net/URL;)Ljava/net/URL;", false));
list.add(new InsnNode(POP));
mn.instructions.insert(list);
}
}
ClassWriter writer = new ClassWriter(ClassWriter.COMPUTE_FRAMES | ClassWriter.COMPUTE_MAXS);
node.accept(writer);
return writer.toByteArray();
}
翻译后的字节码逻辑
URLFilter.testURL(this.url);
字节码中调用的方法逻辑
public static URL testURL(URL url) throws IOException {
if (null == url || null == ruleList) {
return null;
}
for (FilterRule rule : ruleList) {
if (!rule.test(url.toString())) {
continue;
}
DebugInfo.output("Reject url: " + url + ", rule: " + rule);
throw new SocketTimeoutException("connect timed out");
}
return url;
}
url.conf
[URL]
PREFIX,https://account.jetbrains.com/lservice/rpc/validateKey.action
拦截激活逻辑
url 和 dns 插件都比较好理解,核心是 power 这个插件逻辑是黑盒。power 的配置 conf 和激活码有关。
贴一下 power.conf 配置感受一下。power 插件通过拦截 java/math/BigInteger 的 oddModPow 方法(幂指取模,非对称加解密用到),通过匹配到几个**大数参数后,直接返回结果大数。配置中这几个大数**都是黑盒,猜测和提供的激活码是一一对应的。
[Result]
EQUAL,120506319308405029943033101198259523557651500267734599270782782071425072541184605728867830395125412768750966448411447392137801711908001958831204692561738046570955709184538088569271703484602917023462976408329100293802371486063140115775311907530943821345005598057265747678100463689973450156515895355214983079672467769169324175533323801179755544364921063654340185317077965735659865485150734884110709760680757502730007505995422237875348017761382234951127263548660889969621730944377739766734765769747684457663965611896398862841334032542726392699785677440644859509166466497325071885386505404431787167239320957696896447925472784312642576835792921100239616617639216190447230487878404191838684279341834945197861631446454083984351911070798505031973496634229907567362853550735007045265430703581336189733180744888091740381912913980707537008943084904260746266383019688346709856215660232636334604552145129775009725685598798774376749830567219982166661918408832945395290223853748014160473876195098438959881711585152480525870219408398012002829112863175041709512032251930709608035158747101960447898838942705485214217426612863919268749874079707310181890737049603255938886865558759802593500502795018952114650332765839003032013708006750600413455628536259,65537,860106576952879101192782278876319243486072481962999610484027161162448933268423045647258145695082284265933019120714643752088997312766689988016808929265129401027490891810902278465065056686129972085119605237470899952751915070244375173428976413406363879128531449407795115913715863867259163957682164040613505040314747660800424242248055421184038777878268502955477482203711835548014501087778959157112423823275878824729132393281517778742463067583320091009916141454657614089600126948087954465055321987012989937065785013284988096504657892738536613208311013047138019418152103262155848541574327484510025594166239784429845180875774012229784878903603491426732347994359380330103328705981064044872334790365894924494923595382470094461546336020961505275530597716457288511366082299255537762891238136381924520749228412559219346777184174219999640906007205260040707839706131662149325151230558316068068139406816080119906833578907759960298749494098180107991752250725928647349597506532778539709852254478061194098069801549845163358315116260915270480057699929968468068015735162890213859113563672040630687357054902747438421559817252127187138838514773245413540030800888215961904267348727206110582505606182944023582459006406137831940959195566364811905585377246353->31872219281407242025505148642475109331663948030010491344733687844358944945421064967310388547820970408352359213697487269225694990179009814674781374751323403257628081559561462351695605167675284372388551941279783515209238245831229026662363729380633136520288327292047232179909791526492877475417113579821717193807584807644097527647305469671333646868883650312280989663788656507661713409911267085806708237966730821529702498972114194166091819277582149433578383639532136271637219758962252614390071122773223025154710411681628917523557526099053858210363406122853294409830276270946292893988830514538950951686480580886602618927728470029090747400687617046511462665469446846624685614084264191213318074804549715573780408305977947238915527798680393538207482620648181504876534152430149355791756374642327623133843473947861771150672096834149014464956451480803326284417202116346454345929350148770746553056995922154382822307758515805142704373984019252210715650875853634697920708113806880196144197384637328982263167395073688501517286678083973976140696077590122053014085412828620051470085033364773099146103525313018873319293728800442101520384088109603555959893639842091339193857485407672132882577840295039058621747654642202620767068924079813640067442975
[Result]
; Suit 220601
EQUAL,9970935694920330656405167959533554252217970647084776057423751898089045860341180386533351140918260338872246155863555501092816944353175444906105565014568261106548589158571861774550164461896758602102373516236870892643837892318126250226919038293790053127130898272303501703464573600523050759559067633087488936991875169121104652750265018070959575324126062773607549550801286543599974245290769326883172020855883190399971285741645567417490671778470574604377963631714407124663703228576223086964451135844192119318923836452339326901275478166944260590207134188073058882380021689355620830864836574673135672689775213438942573428772,65537,24521566609765666164947017540032021599255701751860227819512057581863724253675446227963662825786216373422117712052647819939094618512591273903731385388945941620956494535886991119537555521717683289574562412249381695575366776196301290570457146763799416784211789775179394339350479765228864277544252534115220169733628333836919758657866915165201332480467127194998195481209996470680276955438320553419743409285076366446411459237915876713514676197204668785300100857270615348770478845912795954436677863461158442534283102154396294509903255539003316675136070586165787963286744036831353098283719024130881707718857451774498022915819->986236757547332986472011617696226561292849812918563355472727826767720188564083584387121625107510786855734801053524719833194566624465665316622563244215340671405971599343902468620306327831715457360719532421388780770165778156818229863337344187575566725786793391480600129482653072861971002459947277805295727097226389568776499707662505334062639449916265137796823793276300221537201727072401742985542559596685092673521228140822200236743113743661549252453726123450722876929538747702356573783116366629850199080495560991841329893037291900147497007197055572787780928474439122179939186178849813435301648763482073347108395064
配置和激活码
用 gitee 或者 github 中的项目编译生成 jar 包加上https://blog.idejihuo.com/jetbrains/intellij-idea-2023-1-3-activation-code-cracking-to-2099.html中的配置和激活码IDEA并不能启动成功。猜测jar包+配置+激活码必须要匹配。
前文中提到的@pengzhile 大佬个人网站有很多原始资料。这篇博文中其实提到了如何获取完整 jar 包+配置+激活码。我试了一下,可以用。文中提到的热心大佬很神秘,另外一个中本聪?
框架和插件扩展
ja-netfilter 设计时考虑了扩展性,通过自定义插件和配置,GoLand、PyCharm、DataGrip 等都可以采用同样的思路激活。
总结
本文学习了 Java Agent 拦截绕过 Jetbrains 注册流程。如果你对 Java Agent,ASM 字节码不感兴趣,只对激活 IDEA 感兴趣的话,有两种方式获取(亲测都可用)。
- 激活到 2099 年
- 激活到 2025 年,动态更新。随便点开一个网站,下载 jar 和配置,提取激活码
免责声明
如果您觉得本程序好用,建议您立即删除本程序并购买正版;本项目只做个人学习研究之用,不得用于商业用途!