You are here: start / cracks / daisydisk

Table of Contents

About

DaisyDisk is a program that scans an OSX harddrive and conveniently displays the occupied space so that users can pick-out what is eating their harddrive space.

The trial limitation includes:

  • nag-screens
  • nasty button on the window pane that says "test drive".
  • disabling the deletion of collected files.

So, we take DaisyDisk for a test drive and break the protections.

Nag Screens

The nag screens are easily disabled by crippling the TrialNagWindowController: 

                                            methImpl_TrialNagWindowController_init:
00000001000ae52c 55                              push       rbp
00000001000ae52d 4889E5                          mov        rbp, rsp
00000001000ae530 4883EC10                        sub        rsp, 0x10
00000001000ae534 E921000000                      jmp        0x1000ae55a
00000001000ae539 90                              nop        
00000001000ae53a 90                              nop        
00000001000ae53b 90                              nop        
00000001000ae53c 90                              nop        
00000001000ae53d 90                              nop        
00000001000ae53e 90                              nop        
00000001000ae53f 488945F8                        mov        qword [ss:rbp+0xfffffffffffffff8], rax
00000001000ae543 488B358E3F0A00                  mov        rsi, qword [ds:objc_sel_initWithNibName_] ; @selector(initWithNibName:)
00000001000ae54a 488D7DF0                        lea        rdi, qword [ss:rbp+0xfffffffffffffff0]
00000001000ae54e 488D1533660B00                  lea        rdx, qword [ds:cfstring_TrialNagWindow] ; @"TrialNagWindow"
00000001000ae555 E876610100                      call       imp___stubs__objc_msgSendSuper2
00000001000ae55a 4883C410                        add        rsp, 0x10                     ; XREF=0x1000ae534
00000001000ae55e 5D                              pop        rbp
00000001000ae55f C3                              ret

Nag Button

To eliminate the nag button, we nop the je around 0x0100029829: 

0000000100029822 4584ED                          test       r13L, r13L                    ; case 0 XREF=0x100029725, 0x100029748, 0x10002978a, 0x1000297be, 0x100029772
0000000100029825 488B5DC8                        mov        rbx, qword [ss:rbp+0xffffffffffffffc8]
0000000100029829 90                              nop        
000000010002982a 90                              nop        
000000010002982b 488B357E641200                  mov        rsi, qword [ds:objc_sel_hideTitleButton] ; @selector(hideTitleButton)
0000000100029832 4C8B35D7BB0E00                  mov        r14, qword [ds:imp___got__objc_msgSend]
0000000100029839 4889DF                          mov        rdi, rbx
000000010002983c 41FFD6                          call       r14
000000010002983f 488B3572641200                  mov        rsi, qword [ds:objc_sel_exitAllNagScreens] ; @selector(exitAllNagScreens)
0000000100029846 4889DF                          mov        rdi, rbx
0000000100029849 41FFD6                          call       r14
000000010002984c 488B05352B1300                  mov        rax, qword [ds:0x10015c388]
0000000100029853 488B3C03                        mov        rdi, qword [ds:rbx+rax]
0000000100029857 488B3562641200                  mov        rsi, qword [ds:objc_sel_setWatermarkVisible_] ; @selector(setWatermarkVisible:)
000000010002985e 31D2                            xor        edx, edx
0000000100029860 41FFD6                          call       r14
0000000100029863 488B052E2B1300                  mov        rax, qword [ds:0x10015c398]
000000010002986a 488B3C03                        mov        rdi, qword [ds:rbx+rax]
000000010002986e 488B354B641200                  mov        rsi, qword [ds:objc_sel_setWatermarkVisible_] ; @selector(setWatermarkVisible:)
0000000100029875 31D2                            xor        edx, edx
0000000100029877 41FFD6                          call       r14
000000010002987a 488B05572B1300                  mov        rax, qword [ds:0x10015c3d8]
0000000100029881 488B3C03                        mov        rdi, qword [ds:rbx+rax]
0000000100029885 488B356C4F1200                  mov        rsi, qword [ds:objc_sel_setHidden_] ; @selector(setHidden:)
000000010002988c BA01000000                      mov        edx, 0x1
0000000100029891 EB66                            jmp        0x1000298f9
0000000100029893 488B352E641200                  mov        rsi, qword [ds:objc_sel_showBuyNowButton_] ; @selector(showBuyNowButton:) XREF=0x100029829
Before After

The result can be seen in the images above.

Enabling Deletion

Deleting files is disabled in the trial version, however this can easily be circumvented by jumping over the license key verification procedure and other intermediary steps: 

                                            methImpl_SourceController_beginExecution:
00000001000841df 55                              push       rbp
00000001000841e0 4889E5                          mov        rbp, rsp
00000001000841e3 4157                            push       r15
00000001000841e5 4156                            push       r14
00000001000841e7 4155                            push       r13
00000001000841e9 4154                            push       r12
00000001000841eb 53                              push       rbx
00000001000841ec 4881ECB8010000                  sub        rsp, 0x1b8
00000001000841f3 4889B540FEFFFF                  mov        qword [ss:rbp+0xfffffffffffffe40], rsi
00000001000841fa 4989FD                          mov        r13, rdi
00000001000841fd 488B057C100900                  mov        rax, qword [ds:imp___got____stack_chk_guard]
0000000100084204 488B00                          mov        rax, qword [ds:rax]
0000000100084207 488945D0                        mov        qword [ss:rbp+0xffffffffffffffd0], rax
000000010008420b 488B352EC60C00                  mov        rsi, qword [ds:objc_sel_isScanning] ; @selector(isScanning)
0000000100084212 4C89EF                          mov        rdi, r13
0000000100084215 FF15F5110900                    call       qword [ds:imp___got__objc_msgSend]
000000010008421b 84C0                            test       al, al
000000010008421d 0F850D0B0000                    jne        0x100084d30
0000000100084223 488B3516BB0C00                  mov        rsi, qword [ds:objc_sel_isCountingDown] ; @selector(isCountingDown)
000000010008422a 4C89EF                          mov        rdi, r13
000000010008422d FF15DD110900                    call       qword [ds:imp___got__objc_msgSend]
0000000100084233 84C0                            test       al, al
0000000100084235 0F85F50A0000                    jne        0x100084d30
000000010008423b 488B3506BB0C00                  mov        rsi, qword [ds:objc_sel_isExecuting] ; @selector(isExecuting)
0000000100084242 4C89EF                          mov        rdi, r13
0000000100084245 FF15C5110900                    call       qword [ds:imp___got__objc_msgSend]
000000010008424b 84C0                            test       al, al
000000010008424d 0F85DD0A0000                    jne        0x100084d30
0000000100084253 488B352EA80C00                  mov        rsi, qword [ds:objc_sel_licenseKeyFromDisk] ; @selector(licenseKeyFromDisk)
000000010008425a 488B3D2FED0C00                  mov        rdi, qword [ds:objc_classref_LicenseKey]
0000000100084261 FF15A9110900                    call       qword [ds:imp___got__objc_msgSend]
0000000100084267 4530F6                          xor        r14L, r14L
000000010008426a 4885C0                          test       rax, rax
000000010008426d E9B8080000                      jmp        0x100084b2a
0000000100084272 90                              nop
...
0000000100084b2a 488B05A7880D00                  mov        rax, qword [ds:0x10015d3d8]   ; XREF=0x100084a25, 0x100084a72, 0x100084aa3, 0x10008426d
0000000100084b31 49C744050000000000              mov        qword [ds:r13+rax+0x0], 0x0
0000000100084b3a 488B059F880D00                  mov        rax, qword [ds:0x10015d3e0]
0000000100084b41 41C644050000                    mov        byte [ds:r13+rax+0x0], 0x0
0000000100084b47 488B0582880D00                  mov        rax, qword [ds:0x10015d3d0]
0000000100084b4e 41C744050000000000              mov        dword [ds:r13+rax+0x0], 0x0
0000000100084b57 488B1DB2080900                  mov        rbx, qword [ds:imp___got__objc_msgSend]
0000000100084b5e 488B05C3870D00                  mov        rax, qword [ds:0x10015d328]
0000000100084b65 498B7C0500                      mov        rdi, qword [ds:r13+rax+0x0]
0000000100084b6a 488B3527D00C00                  mov        rsi, qword [ds:objc_sel_executionDidBegin] ; @selector(executionDidBegin)
...

At 0x10008426d, we jump over the protections and proceed with the deletion.

That's it for DaisyDisk 2.1.2.

cracks/daisydisk.txt ยท Last modified: 2022/04/19 08:28 by 127.0.0.1
You are here: start / cracks / daisydisk

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.