MENU

关于SolusVM的破解

• February 21, 2018 • Read: 1483 • 瞎折腾

solusvm的授权部分在system下面的clean.php里面。
这个文件包括两个函数,一个LicenseDecode,一个LicenseDecodePart。
那么自然,逆向他的算法即可。
因为怕dmca,我就不放解密了~
我放加密233333

<?php
    private $_s_C_OOO_o01 = "ypO%_Y/y0#rY@KFi==@65%swYskCaCTk-52#*StP6HCsrwP!tB";
    private $_s_C_OOO_o02 = "MM=co=_prb+;XyuHkHfNtyWy/y@/FzcofZ9HqjQ9?XxSb96a.d";
    private $_s_C_OOO_o03 = "31m*R*Z!zmnDjdqovF8Wyq1-LZUAFohEKqn652kM.FGykJF7LT";
    private $_s_C_OOO_o04 = "UF*zssdx8E9Q7+tzZ%*Y#j2=/FFZOekUr1BXB6OANpO1-ivAOm";
    private $_s_C_OOO_o05 = 30;
    private $_s_C_OOO_o06 = "+";
    private $_s_C_OOO_o07 = 30;
    private $_s_C_OOO_o08 = "(";
    private $_s_C_OOO_o09 = "=============================== START KEY DATA =================================\n";
    private $_s_C_OOO_o10 = "\n================================ END KEY DATA ==================================";

    public function LicenseEncode($result)
    {
        $resulttraw = serialize($result);
        $resulttraw = base64_encode($resulttraw);
    $md5Hash = md5($resulttraw . $result['checkDate'] . $this->_s_C_OOO_o04);
    $data = $md5Hash.$resulttraw;
    $md5Hash = md5(strrev($data) . $this->_s_C_OOO_o03);
    $data = $md5Hash.strrev($data);
    $data = $this->LicenseEncodePart($data, $this->_s_C_OOO_o01);
    $data = strrev($data);
        $data = gzdeflate($data);
        $data = convert_uuencode($data);
    $data = strrev($data);
    $data = $this->LicenseEncodePart($data, $this->_s_C_OOO_o02);
    $data = strtoupper($data);
    $data = wordwrap($data, 18, "+", true);
    $data = wordwrap($data, 348, "(", true);
    $data = wordwrap($data, 80, "\n", true);
    $data = $this->_s_C_OOO_o09 . $data;
    $data = $data . $this->_s_C_OOO_o10;
    return $data;
    }

    private function LicenseEncodePart($string, $key)
    {
        $key = sha1($key);
        $strLen = strlen($string);
        $keyLen = strlen($key);
        $i = 0;
        while( $i < $strLen ) 
        {
            $ordStr = ord(substr($string, $i, 1));
        if( $j == $keyLen ) 
            {
                $j = 0;
            }
        $ordKey = ord(substr($key, $j, 1));
            $j++;
            $hash .= strrev(base_convert(dechex($ordStr + $ordKey), 16, 36));
            $i += 1;
        }
        return $hash;
    }

授权访问的位置是 /clients/modules/servers/licensing/slbs_verify_license.php
我给一个 slbs_verify_license.php 的范例:

<?php
    require "cleaned.php";
    if(isset($_POST["nodes"]) && isset($_POST["licensekey"]) && isset($_POST["domain"]) && isset($_POST["ip"]) && isset($_POST["dir"])){                              
    $returnarray = array( "hash" => '',
        "hash2" => '',
        "status" => 'Active',
        "productid" => 20,
        "checkDate" => date("Y-M-D"),
        "companyname" => "NagakaTech",
        "email" => "admin@loli.ren",
        "configoptions" => "Slaves=100|Mini Slaves=100|Micro Slaves=100"
    );
    $data = LicenseEncode($returnarray);
    echo($data);
}else{
    echo("No input");
}

附注:
solusvm服务器(需要hosts掉)
http://www.soluslabs.com
licensing1.soluslabs.net
licensing5.soluslabs.net

后记:

使用的版本是1.20.03,只测试了前台网页的license正常~

原文转自:《记一次solusvm的破解/(=-=)》

Archives QR Code
QR Code for this page
Tipping QR Code
Leave a Comment

已有 2 条评论
  1. 不明觉历啊。

  2. Ricky.D. Ricky.D.

    求完整测试,另外,感谢分享,准备逆向。