Table of Contents

About

iGlasses is some-sort of "Fake Cam" for OSX that allows you to add effects to the image you send when you use your web camera. In short, it is very expensive software and does not come close to the software available for Windows which are able to do much more: for example, display a cartoon character, etc… Nevertheless, iGlasses has a "cam" in picture feature that allows you to display a movie or an image to the person you are camming with, which makes it somewhat useful. This feature could be made better and we have yet to see some nice software that would give you a full set of features that will allow you to give an online presentation effectively.

iGlasses comes with a demo-timer protection that limits the application's usage to 7 days which can be very easily be undone.

Removing the Nags and Demo Screens

The central point for showing nag and demo-screens is the beginInteraction method which is responsible for showing these screens. It can be very easily subverted by directly (in this example) by jumping from 0x10000fc20 to 0x10000fc55 which bypasses the message dispatch of objc_sel_displayNagMessage and objc_sel_displayDemoOverMessage.

                                            methImpl_AppController_beginInteraction_:
000000010000fc14 55                              push       rbp
000000010000fc15 4889E5                          mov        rbp, rsp
000000010000fc18 66833D105C06000B                cmp        word [ds:_Main], 0xb
; JUMP!
000000010000fc20 E930000000                      jmp        0x10000fc55
000000010000fc25 90                              nop        
000000010000fc26 488B3583BB0500                  mov        rsi, qword [ds:objc_sel_performSelector_withObject_afterDelay_] ; @selector(performSelector:withObject:afterDelay:)
000000010000fc2d 488B15CCC40500                  mov        rdx, qword [ds:objc_sel_displayNagMessage] ; @selector(displayNagMessage)
000000010000fc34 EB0E                            jmp        0x10000fc44
000000010000fc36 488B3573BB0500                  mov        rsi, qword [ds:objc_sel_performSelector_withObject_afterDelay_] ; @selector(performSelector:withObject:afterDelay:) XREF=0x10000fc20
000000010000fc3d 488B15C4C40500                  mov        rdx, qword [ds:objc_sel_displayDemoOverMessage] ; @selector(displayDemoOverMessage)
000000010000fc44 F20F100574B40300                movsd      xmm0, qword [ds:0x10004b0c0]  ; XREF=0x10000fc34
000000010000fc4c 31C9                            xor        ecx, ecx
000000010000fc4e 5D                              pop        rbp
000000010000fc4f FF25FBD60400                    jmp        qword [ds:imp___got__objc_msgSend]
000000010000fc55 5D                              pop        rbp                           ; XREF=0x10000fc24, 0x10000fc20
000000010000fc56 C3                              ret        

Although apparently not really necessary, to be sure, we can remove the same logic from the showErrorMessage by using two jumps:

                                       ; Basic Block Input Regs: rdi -  Killed Regs: rax r14 r15
                                            methImpl_AppController_showErrorMessage:
000000010000dd51 55                              push       rbp
000000010000dd52 4889E5                          mov        rbp, rsp
000000010000dd55 4157                            push       r15
000000010000dd57 4156                            push       r14
000000010000dd59 4154                            push       r12
000000010000dd5b 53                              push       rbx
000000010000dd5c 4989FF                          mov        r15, rdi
;...
000000010000dd6a 4C8D35BF2E0600                  lea        r14, qword [ds:cfstring_Buy_Now] ; @"Buy Now"
000000010000dd71 3D92100000                      cmp        eax, 0x1092
; FIRST JUMP
000000010000dd76 E910000000                      jmp        0x10000dd8b
000000010000dd7b 90                              nop        
000000010000dd7c 90                              nop        
000000010000dd7d 90                              nop        
000000010000dd7e 90                              nop        
000000010000dd7f 488D1D8A2E0600                  lea        rbx, qword [ds:cfstring_Your_iGlasses_Demo_has_expired__Please_purchase_to_continue_using_it_] ; @"Your iGlasses Demo has expired.\\nPlease purchase to continue using it."
000000010000dd86 E9A6000000                      jmp        0x10000de31
000000010000dd8b 3D93100000                      cmp        eax, 0x1093                   ; XREF=0x10000dd76
; SECOND JUMP
000000010000dd90 E910000000                      jmp        0x10000dda5
000000010000dd95 90                              nop        
000000010000dd96 90                              nop        
000000010000dd97 90                              nop        
000000010000dd98 90                              nop        
000000010000dd99 488D1DD02E0600                  lea        rbx, qword [ds:cfstring_Welcome_to_the_iGlasses_Demo__You_can_try_out_iGlasses_for_7_days_] ; @"Welcome to the iGlasses Demo.\\nYou can try out iGlasses for 7 days."
000000010000dda0 E98C000000                      jmp        0x10000de31
000000010000dda5 488B055C810600                  mov        rax, qword [ds:_OBJC_IVAR_$_AppController.videoDevices] ; XREF=0x10000dd90
; ...

These two jumps ensure that when showErrorMessage is called, the logic never drops into displaying the demo stuff and the nag that prompts users with the time allowed for the demo.

Applying the Patch

The patch for 2.4.5 has to be applied to the binary /Library/Application Support/iGlasses3/iGlasses.app/Contents/MacOS/iGlasses and is given her in bsdiff format and uuencoded:

begin 644 iGlasses.bsdiff
M0E-$249&-#!2`````````!$!`````````(@1``````!"6F@Y,4%9)E-9F`3W
MA```%W)>^*A$``"`@(!`0`0`0```#``@0``@`#%,)IH#3$(U!H::!B5.1)DK
MF``N^R[52AG<V>(2!\7<D4X4)"8!/>$`0EIH.3%!629360NI7S\``$;__\WB
M0`90`T!`1`!`&+$B#(1!=$"@,`!%`,``T@Q`#$7KL`#X4(I/*>D>D&1ID!IH
MR,@]-$9J,T1@.8!-,`F0P`!,$P```1*4TC3(!D!H&@`T`T`T>C4U[#.9:$[,
MX&@Q46U<H/[$9%$MQ0`#;@H"([4%%#AN+@(WI(7YT%*:A#)+("J"!DQ?!9E+
M:)R$#3A<(0M4OWJ(`(@8X#P1PQ6HB'5-*'A`0$0,>+ILJ0[)Z3R$?0)2[T(]
M`O9@#8^<N0'4%'@'^GJ23'34!44FF!W/=9]GUE*Z]`LZS-57;',5E##Z47,0
MA!NQ4!$#O/.FY)`R&#/58?XNY(IPH2`74KY^0EIH.3%!62936?+KR<<``"Q@
<`,``0```""``(*4T&8PIL13Q=R13A0D/+KR<<```
`
end

for more information on how to apply this patch, please see the applying binary patches section.

Killing the Resident Program

To apply this patch to the latest version 2.4.5, first you should make sure that iGlasses is not resident by using the Activity Monitor program bundled with OSX. Apparently, iGlasses remains resident after the first run - which, is not very thoughtful of them.

Once you launch the Activity Monitor search for iGlasses and click the X button until the PID changes - iGlasses also apparently relaunches itself so, to be sure that the crack worked you will have to perform this step after applying the patch.