Shortnote
CleanGenius is a nice-interface based Mac cleaner that performs the same functions as AppTrap, Onyx and other similar tools. The protection is a 15-day trial nag screen which can easily be disabled.
A search for symbols reveals the following interesting bits:
- A "Your trial version has expired"
cfstringat0x1000cccd8. - A "Your trial period … days left"
cfstringat0x1000cccf8.
The title nags can be removed by eliminating the nags by noping the jne at 0x100016be1:
; Basic Block Input Regs: r13 - Killed Regs: rax 0000000100016bd0 488B05912E0B00 mov rax, qword [ds:_OBJC_IVAR_$_DBPrefsWindowController.dayNum] ; XREF=0x100016b1d 0000000100016bd7 418B440500 mov eax, dword [ds:r13+rax+0x0] 0000000100016bdc 3D3F420F00 cmp eax, 0xF423F 0000000100016be1 752B jne 0x100016C0E ; Basic Block Input Regs: rax r13 - Killed Regs: rdx rbx rsi rdi 0000000100016be3 488B351EC20A00 mov rsi, qword [ds:objc_sel_window] ; @selector(window) 0000000100016bea 488B1D9FA50800 mov rbx, qword [ds:imp___got__objc_msgSend] 0000000100016bf1 4C89EF mov rdi, r13 0000000100016bf4 FFD3 call rbx 0000000100016bf6 488B35FBC30A00 mov rsi, qword [ds:objc_sel_setTitle_] ; @selector(setTitle:) 0000000100016bfd 488D15B4600B00 lea rdx, qword [ds:cfstring_CleanGenius] ; @"CleanGenius" 0000000100016c04 4889C7 mov rdi, rax 0000000100016c07 FFD3 call rbx 0000000100016c09 E98B000000 jmp 0x100016C99 ; Basic Block Input Regs: rax - Killed Regs: <nothing> 0000000100016c0e 85C0 test eax, eax ; XREF=0x100016be1 0000000100016c10 7F33 jnle 0x100016C45 ; Basic Block Input Regs: rax r13 - Killed Regs: rax rdx rbx rsi rdi r14 0000000100016c12 488B35EFC10A00 mov rsi, qword [ds:objc_sel_window] ; @selector(window) 0000000100016c19 4C8B3570A50800 mov r14, qword [ds:imp___got__objc_msgSend] 0000000100016c20 4C89EF mov rdi, r13 0000000100016c23 41FFD6 call r14 0000000100016c26 4889C3 mov rbx, rax 0000000100016c29 488B35A8C30A00 mov rsi, qword [ds:objc_sel_stringWithFormat_] ; @selector(stringWithFormat:) 0000000100016c30 488B3D41EE0A00 mov rdi, qword [ds:bind__OBJC_CLASS_$_NSString] 0000000100016c37 488D159A600B00 lea rdx, qword [ds:cfstring_CleanGenius___Your_trial_version_has_expired] ; @"CleanGenius - Your trial version has expired"
This will have the effect of sliding on the nops, setting the title to CleanGenius followed by the jmp at 0x100016c09.
Another bomb is in windowDidLoad around 0x10004bd71:
====== B E G I N O F P R O C E D U R E ======
; Basic Block Input Regs: rdi - Killed Regs: rax rbx rbp rsi rdi
methImpl_ActivateWinController_windowDidLoad:
000000010004bd71 55 push rbp
000000010004bd72 4889E5 mov rbp, rsp
000000010004bd75 4156 push r14
000000010004bd77 53 push rbx
000000010004bd78 4883EC10 sub rsp, 0x10
000000010004bd7c 4889FB mov rbx, rdi
000000010004bd7f 48895DE0 mov qword [ss:rbp-0x20+var_0], rbx
000000010004bd83 488B0566A30700 mov rax, qword [ds:0x1000C60F0]
000000010004bd8a 488945E8 mov qword [ss:rbp-0x20+var_8], rax
000000010004bd8e 488B3583790700 mov rsi, qword [ds:objc_sel_windowDidLoad] ; @selector(windowDidLoad)
000000010004bd95 488D7DE0 lea rdi, qword [ss:rbp-0x20+var_0]
000000010004bd99 E8B28A0200 call imp___stubs__objc_msgSendSuper2
000000010004bd9e 488B054BEC0700 mov rax, qword [ds:_OBJC_IVAR_$_ActivateWinController.dayNum]
000000010004bda5 8B0403 mov eax, dword [ds:rbx+rax]
000000010004bda8 85C0 test eax, eax
000000010004bdaa 7921 jns 0x10004BDCD
; Basic Block Input Regs: rbx - Killed Regs: rax rdx rsi rdi
000000010004bdac 488B0545EC0700 mov rax, qword [ds:_OBJC_IVAR_$_ActivateWinController.trialDayTextFiled]
000000010004bdb3 488B3C03 mov rdi, qword [ds:rbx+rax]
000000010004bdb7 488B35F2780700 mov rsi, qword [ds:objc_sel_setStringValue_] ; @selector(setStringValue:)
000000010004bdbe 488D1533F80700 lea rdx, qword [ds:cfstring_] ; @""
000000010004bdc5 FF15C5530500 call qword [ds:imp___got__objc_msgSend]
000000010004bdcb EB63 jmp 0x10004BE30
; Basic Block Input Regs: rax rbx - Killed Regs: rcx rbx rdi
000000010004bdcd 488B0D24EC0700 mov rcx, qword [ds:_OBJC_IVAR_$_ActivateWinController.trialDayTextFiled] ; XREF=0x10004bdaa
000000010004bdd4 488B1C0B mov rbx, qword [ds:rbx+rcx]
000000010004bdd8 488B3D999C0700 mov rdi, qword [ds:bind__OBJC_CLASS_$_NSString]
000000010004bddf 85C0 test eax, eax
000000010004bde1 7E23 jle 0x10004BE06
; Basic Block Input Regs: rax - Killed Regs: rax rcx rdx rsi r14
000000010004bde3 B910000000 mov ecx, 0x10
000000010004bde8 29C1 sub ecx, eax
000000010004bdea 488B35E7710700 mov rsi, qword [ds:objc_sel_stringWithFormat_] ; @selector(stringWithFormat:)
000000010004bdf1 488D1580460800 lea rdx, qword [ds:cfstring_Your_trial_period__Day__d_of_15_has_been_used] ; @"Your trial period: Day %d of 15 has been used"
where we notice the jmp at 0x10004bdcb to the end of the method, thereby skipping the rest of the "trial expired" nags. We go up and replace the jns at 0x10004bdaa with the destination of the jmp to 0x10004BE30.
The final bomb is in trialAlertView which is just a test at 0x1000491f1 which checks whether the trial window should be shown.
====== B E G I N O F P R O C E D U R E ======
; Basic Block Input Regs: rdx rdi - Killed Regs: rbx
methImpl_TrailControInfo_trailAlertView_:
00000001000491e7 55 push rbp
00000001000491e8 4889E5 mov rbp, rsp
00000001000491eb 4156 push r14
00000001000491ed 53 push rbx
00000001000491ee 4889FB mov rbx, rdi
00000001000491f1 84D2 test dl, dl
00000001000491f3 7505 jne 0x1000491FA
; Basic Block Input Regs: rsp - Killed Regs: rbx rbp r14
00000001000491f5 5B pop rbx
00000001000491f6 415E pop r14
00000001000491f8 5D pop rbp
00000001000491f9 C3 ret
Depending on the outcome of the test, the method proceeds to display the window by jumping to that code using the jne. So, we disable the jne by noping it:
methImpl_TrailControInfo_trailAlertView_: 00000001000491e7 55 push rbp 00000001000491e8 4889E5 mov rbp, rsp 00000001000491eb 4156 push r14 00000001000491ed 53 push rbx 00000001000491ee 4889FB mov rbx, rdi 00000001000491f1 84D2 test dl, dl 00000001000491f3 90 nop 00000001000491f4 90 nop 00000001000491f5 5B pop rbx 00000001000491f6 415E pop r14 00000001000491f8 5D pop rbp 00000001000491f9 C3 ret
The final bomb is in setIsShowTrialWindow which we nop as well:
methImpl_UtilityObject_setIsShowTrialWindow_: 00000001000136be 55 push rbp 00000001000136bf 90 nop 00000001000136c0 90 nop 00000001000136c1 90 nop 00000001000136c2 90 nop 00000001000136c3 90 nop 00000001000136c4 90 nop 00000001000136c5 90 nop 00000001000136c6 90 nop 00000001000136c7 90 nop 00000001000136c8 90 nop 00000001000136c9 90 nop 00000001000136ca 90 nop 00000001000136cb 90 nop 00000001000136cc 5D pop rbp 00000001000136cd C3 ret
That's it.
We quickly uninstalled the application after breaking it because it is extremely crap compared to free alternatives such as "Onyx". Seriously? All it has is a duplicate finder which you could do on the bash prompt, an application "uninstaller" which you could use the system-wide AppTrap free application that automatically monitors any application you throw in the trashcan. Then we have the Internet myth of "Freeing Memory" when all it does is swap out pages and a bullshit "Login Items" de-activator which can be done from preference.
This sort of garbage pollutes the internet these days… Perhaps a new GreenPeace-like society should be instated that will protest against garbage applications and misinformation. People are misguided into buying these things because of flashy graphics and lame advertisements only to figure out later the mistake they did. Not to mention that gimmick "lifehacker" that recommends this junk to his precious fans. It's like selling fake jewels to seniors over the shopping network.
For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.