doublesine/navicat-keygen

Hi mr Doublesine

this is the new test on New v16.0.3 for windows

1) SerialKey have some byte Change

on brute have find a valid Serial : NAVDCOF4WS3OOKTO

High 4 bits of data[8] represents major version number.

Example:

For Navicat 15 x64: High 4 bits must be 1111 (0xF0), which is the binary of number 15.

But for v16 ?? 0x10?

3) this is thest on patch solutions :

[+] Try to open Navicat.exe ... Ok! [+] Try to open libcc.dll ... Ok!

[+] PatchSolution0 ...... Ready to apply

[*] Patch offset = +0x02f8787c

[+] PatchSolution1 ...... Ready to apply

[*] [0] Patch offset = +0x03508ea0
[*] [1] Patch offset = +0x009e3959
[*] [2] Patch offset = +0x03508bb0
[*] [3] Patch offset = +0x009e393f
[*] [4] Patch offset = +0x03508ba8

[-] PatchSolution2 ...... Omitted [-] PatchSolution3 ...... Omitted [-] PatchSolution4 ...... Omitted

[*] PatchSolution0 is suppressed in order to keep digital signature valid.

[] Generating new RSA private key, it may take a long time... [] Your RSA public key: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvvOJRn7sy7s/wHYLefKC Q1LvGDTmxjZ4Rp3iLOYBRsMXEe7i5r3gxp55MIm00QqVyVW9Kx7PMXZ0DJZijp0O HakAmIREqnPamObkzdCHvNHKxQcwnLcuu165kv004/tOrPv3zBrQtAX4GrNqzAqE RWTchT03mTftvZD21wdUJZalvZqlWwDgQo95ariTrxx2d/KnErYR55HyvcFggMri nafyXoM72x0roVMm6cA982F7HxXK0tdIqMEMxHCxrvtSDnco8mqJXUis1IIH0Uv3 MhRTgjvr/3Zhifvmuvyl38aZJFQk2gwwo1v82oeFA0L9Wgu7ZGyDn2gCF9XEi7oE pQIDAQAB -----END PUBLIC KEY-----

the problems is the PatchSolution4 ...... Omitted

on v15 have :

                    // >>>>>>>>>>>> .text:00000001819B02C0 48 8D 4D 27       lea     rcx, [rbp + 5Fh + var_38]
                    //              .text:00000001819B02C4 48 83 7D 3F 10    cmp[rbp + 5Fh + var_20], 10h
                    //  42 BYTES    .text:00000001819B02C9 48 0F 43 4D 27    cmovnb  rcx, [rbp + 5Fh + var_38]
                    //              .text:00000001819B02CE 48 8D 45 07       lea     rax, [rbp + 5Fh + var_58]
                    //  THESE CODE  .text:00000001819B02D2 48 83 7D 1F 10    cmp[rbp + 5Fh + var_40], 10h
                    //  WILL BE     .text:00000001819B02D7 48 0F 43 45 07    cmovnb  rax, [rbp + 5Fh + var_58]
                    //  REPLACED    .text:00000001819B02DC 44 0F B6 04 38    movzx   r8d, byte ptr[rax + rdi]
                    //              .text:00000001819B02E1 44 02 04 39       add     r8b, [rcx + rdi]
                    // <<<<<<<<<<<< .text:00000001819B02E5 BA 01 00 00 00    mov     edx, 1
                    //              .text:00000001819B02EA 48 8B CB          mov     rcx, rbx
                    //              .text:00000001819B02ED E8 FE 62 D3 FE    call    sub_1806E65F0

on v16

https://i.imgur.com/toFlAC8.jpg

need new opcode for call the stored new rsa key

anyone have other info?

Best regards

Hi mr Doublesine this is the new test on New v16.0.3 for windows 1) SerialKey have some byte Change on brute have find a valid Serial : NAVDCOF4WS3OOKTO High 4 bits of data[8] represents major version number. Example: For Navicat 15 x64: High 4 bits must be 1111 (0xF0), which is the binary of number 15. But for v16 ?? 0x10? 3) this is thest on patch solutions : [+] Try to open Navicat.exe ... Ok! [+] Try to open libcc.dll ... Ok! [+] PatchSolution0 ...... Ready to apply [*] Patch offset = +0x02f8787c [+] PatchSolution1 ...... Ready to apply [*] [0] Patch offset = +0x03508ea0 [*] [1] Patch offset = +0x009e3959 [*] [2] Patch offset = +0x03508bb0 [*] [3] Patch offset = +0x009e393f [*] [4] Patch offset = +0x03508ba8 [-] PatchSolution2 ...... Omitted [-] PatchSolution3 ...... Omitted [-] PatchSolution4 ...... Omitted [*] PatchSolution0 is suppressed in order to keep digital signature valid. [*] Generating new RSA private key, it may take a long time... [*] Your RSA public key: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvvOJRn7sy7s/wHYLefKC Q1LvGDTmxjZ4Rp3iLOYBRsMXEe7i5r3gxp55MIm00QqVyVW9Kx7PMXZ0DJZijp0O HakAmIREqnPamObkzdCHvNHKxQcwnLcuu165kv004/tOrPv3zBrQtAX4GrNqzAqE RWTchT03mTftvZD21wdUJZalvZqlWwDgQo95ariTrxx2d/KnErYR55HyvcFggMri nafyXoM72x0roVMm6cA982F7HxXK0tdIqMEMxHCxrvtSDnco8mqJXUis1IIH0Uv3 MhRTgjvr/3Zhifvmuvyl38aZJFQk2gwwo1v82oeFA0L9Wgu7ZGyDn2gCF9XEi7oE pQIDAQAB -----END PUBLIC KEY----- the problems is the PatchSolution4 ...... Omitted on v15 have : // >>>>>>>>>>>> .text:00000001819B02C0 48 8D 4D 27 lea rcx, [rbp + 5Fh + var_38] // .text:00000001819B02C4 48 83 7D 3F 10 cmp[rbp + 5Fh + var_20], 10h // 42 BYTES .text:00000001819B02C9 48 0F 43 4D 27 cmovnb rcx, [rbp + 5Fh + var_38] // .text:00000001819B02CE 48 8D 45 07 lea rax, [rbp + 5Fh + var_58] // THESE CODE .text:00000001819B02D2 48 83 7D 1F 10 cmp[rbp + 5Fh + var_40], 10h // WILL BE .text:00000001819B02D7 48 0F 43 45 07 cmovnb rax, [rbp + 5Fh + var_58] // REPLACED .text:00000001819B02DC 44 0F B6 04 38 movzx r8d, byte ptr[rax + rdi] // .text:00000001819B02E1 44 02 04 39 add r8b, [rcx + rdi] // <<<<<<<<<<<< .text:00000001819B02E5 BA 01 00 00 00 mov edx, 1 // .text:00000001819B02EA 48 8B CB mov rcx, rbx // .text:00000001819B02ED E8 FE 62 D3 FE call sub_1806E65F0 ------------------------------------------------------------- on v16 https://i.imgur.com/toFlAC8.jpg ------------------------------------------------------------------------ need new opcode for call the stored new rsa key anyone have other info? Best regards

1) Navicat Premium v16 and Essentials v16 use new Des Key for snKey

byte[] DESKey2 = { 0xE9, 0x7F, 0xB0, 0x60, 0x77, 0x45, 0x90, 0xAE };

2) Navicat product ID data[7] is always 0x65 for Premium v16 and 0x67 for Essentials v16

3) Major version number data[8] can be any byte...

Regards

@doublesine

[code] [[nodiscard]]

bool PatchSolution3::FindPatchOffset() noexcept {
    try {
        static const uint8_t HeaderOfTargetFunction[] = {
            0x40, 0x55,                                         // push    rbp
            0x48, 0x8D, 0xAC, 0x24, 0xE0, 0x9C, 0xFF, 0xFF,     // lea     rbp, [rsp-6320h]
            0xB8, 0x20, 0x64, 0x00, 0x00                        // mov     eax, 6420h
        }; // NEW OPCODE X64 DFoX

        PatchInfo Patch[_countof(_Patch)] = {};

        const uint8_t* lpTargetFunction = nullptr;
        auto lptargetFunctionHint = _Image.SearchSection<const uint8_t*>(".text", [&lpTargetFunction](const uint8_t* p) {
            __try {
                if (*reinterpret_cast<const uint32_t*>(p) == 0x6b67424e) {
                    auto i = p - 0x250;
                    for (; i < p; ++i) {
                        if (memcmp(i, HeaderOfTargetFunction, sizeof(HeaderOfTargetFunction)) == 0) {
                            lpTargetFunction = i;
                            return true;
                        }
                    }
                }

                return false;
            } __except (EXCEPTION_EXECUTE_HANDLER) {
                return false;
            }
        });[/code]

probably v16 dll need a patchsolution3 and have new HeaderOfTargetFunction[]

reinterpret_cast<const uint32_t>(p) == 0x6b67424e

script can't find this byte of public key ...

Regards

PatchSolution doesn't seem to work for v16 for me.

**********************************************************
*       Navicat Patcher (macOS) by @DoubleLabyrinth      *
*                  Version: 5.0                          *
**********************************************************

Press Enter to continue or Ctrl + C to abort.

[+] Try to open "Contents/MacOS/Navicat Premium" ... Ok!
[+] Try to open "Contents/Frameworks/libcc-premium.dylib" ... Ok!

[-] PatchSolution0 ...... Omitted.
[-] PatchSolution1 ...... Omitted.
[-] PatchSolution2 ...... Omitted.
[-] PatchSolution3 ...... Omitted.

[*] Your Navicat version: 16.0.5

[-] Patch abort. None of PatchSolutions will be applied.
    Are you sure your Navicat has not been patched/modified before?

I'm looking for a way to download v15, and there seems to be so many scamming sites out there. Do you know where there is legit site that has v15 Navicat Premium software for MacOS?

16.0.6中文版本,不得行了

@kogisin

You just need to modify the download link: "navicat160" to "navicat150"

https://download.navicat.com.cn/download/navicat150_premium_cs.dmg https://download3.navicat.com/download/navicat150_premium_en.dmg

https://download.navicat.com.cn/download/navicat150_premium_cs_x64.exe https://download3.navicat.com/download/navicat150_premium_en_x64.exe

Thank you so much @Leksur.

It is weird.

I get this PatchSolutions error and I referenced this issue to resolve it, but it doesn't bypass the error. I guess it has to do something is with the recent Mac environment. I am using Apple M1 MacBook Pro.

[-] Patch abort. None of PatchSolutions will be applied.
    Are you sure your Navicat has not been patched/modified before?

navicat16.0.7发布了,请教下大佬们,如果注册呢? 下载地址:https://download3.navicat.com/download/navicat160_premium_cs_x64.exe

发型说明:https://www.navicat.com.cn/products/navicat-premium-release-note

尝试暴力修改了一个,无法去除未注册三个字,但是已经去掉了试用期弹窗,希望大佬指点

https://easychuan.cn/r/gmf68?t=nf gmf68

DeltaFoX closed 1 year ago

#12 New Navicat v16.0.3 Test