You are here: start / cracks / grappler

Shortnote

Grappler is a software package able to download and search movies for OSX. It allows downloading YouTube movies even with the new redesign of their webpages. The trial contains limits imposed on the number of downloads.

First check whether the application has expired is to be found in the checkRegistration method at 0x100002878: 

                                            methImpl_GrapplerAppDelegate_checkRegistration:
0000000100002878 55                              push       rbp
0000000100002879 4889E5                          mov        rbp, rsp
000000010000287c 4157                            push       r15
000000010000287e 4156                            push       r14
0000000100002880 53                              push       rbx
0000000100002881 50                              push       rax
0000000100002882 4989FE                          mov        r14, rdi
0000000100002885 488B0544070400                  mov        rax, qword [ds:_OBJC_IVAR_$_GrapplerAppDelegate.checkedRegistration]
000000010000288c 41C6040601                      mov        byte [ds:r14+rax], 0x1
0000000100002891 B001                            mov        al, 0x1
0000000100002893 488B0D3E070400                  mov        rcx, qword [ds:_OBJC_IVAR_$_GrapplerAppDelegate.checkedRegistrationIsExpired]
000000010000289a 41803C0E00                      cmp        byte [ds:r14+rcx], 0x0
000000010000289f E9BA000000                      jmp        0x10000295E
...
000000010000295e 0FB6C0                          movzx      eax, al                       ; XREF=0x10000289f
0000000100002961 4883C408                        add        rsp, 0x8
0000000100002965 5B                              pop        rbx
0000000100002966 415E                            pop        r14
0000000100002968 415F                            pop        r15
000000010000296a 5D                              pop        rbp
000000010000296b C3                              ret

The canAnotherFileStart method is responsible for checking whether the number of downloads has been reached. We jump over that at 0x100004e90: 

                                            methImpl_GrapplerAppDelegate_canAnotherFileStart:
0000000100004e5c 55                              push       rbp
0000000100004e5d 4889E5                          mov        rbp, rsp
0000000100004e60 4157                            push       r15
0000000100004e62 4156                            push       r14
0000000100004e64 53                              push       rbx
0000000100004e65 50                              push       rax
0000000100004e66 4989FE                          mov        r14, rdi
0000000100004e69 488B3540B90300                  mov        rsi, qword [ds:objc_sel_sharedRegistrationManager] ; @selector(sharedRegistrationManager)
0000000100004e70 488B3D59CF0300                  mov        rdi, qword [ds:bind__OBJC_CLASS_$_AFRegistrationManager]
0000000100004e77 488B1D92320300                  mov        rbx, qword [ds:imp___got__objc_msgSend]
0000000100004e7e FFD3                            call       rbx
0000000100004e80 488B3591BC0300                  mov        rsi, qword [ds:objc_sel_isRegistered] ; @selector(isRegistered)
0000000100004e87 4889C7                          mov        rdi, rax
0000000100004e8a FFD3                            call       rbx
0000000100004e8c B101                            mov        cl, 0x1
0000000100004e8e 84C0                            test       al, al
0000000100004e90 E943000000                      jmp        0x100004ED8
...
0000000100004ed8 0FB6C1                          movzx      eax, cl                       ; XREF=0x100004e90
0000000100004edb 4883C408                        add        rsp, 0x8
0000000100004edf 5B                              pop        rbx
0000000100004ee0 415E                            pop        r14
0000000100004ee2 415F                            pop        r15
0000000100004ee4 5D                              pop        rbp
0000000100004ee5 C3                              ret

Additionally we avoid incrementing the counter in the fileDidComplete method by jumping at 0x100004e13: 

                                            methImpl_GrapplerAppDelegate_fileDidComplete_:
0000000100004d07 55                              push       rbp
...
0000000100004d61 E9AB000000                      jmp        0x100004E11
0000000100004d66 90                              nop
0000000100004d66 90                              nop        
0000000100004d67 488B3542BA0300                  mov        rsi, qword [ds:objc_sel_sharedRegistrationManager] ; @selector(sharedRegistrationManager)
0000000100004d6e 488B3D5BD00300                  mov        rdi, qword [ds:bind__OBJC_CLASS_$_AFRegistrationManager]
0000000100004d75 4C8B3594330300                  mov        r14, qword [ds:imp___got__objc_msgSend]
0000000100004d7c 41FFD6                          call       r14
0000000100004d7f 488B357ABD0300                  mov        rsi, qword [ds:objc_sel_incrementTrial] ; @selector(incrementTrial)
...
0000000100004e11 84DB                            test       bl, bl                        ; XREF=0x100004d61
0000000100004e13 74EF                            je         0x100004E04

Framework

The registration frameworks to be found at Grappler.app/Contents/Frameworks/AFRegistration.framework/Versions/A/AFRegistration contains further checks.

First, the nag screen can be avoided altogether by suppressing the showTrial method. 

                                            methImpl_AFRegistrationWindowController_showTrial:
0000000000002f00 55                              push       rbp
...
0000000000002f44 488B35DD490100                  mov        rsi, qword [ds:objc_sel_supressNagWindow] ; @selector(supressNagWindow)
0000000000002f4b 4889C7                          mov        rdi, rax
0000000000002f4e 41FFD6                          call       r14
0000000000002f51 3C01                            cmp        al, 0x1
0000000000002f53 E902000000                      jmp        0x2F5A
0000000000002f58 5D                              pop        rbp
0000000000002f59 C3                              ret        
0000000000002f5a 488B35CF490100                  mov        rsi, qword [ds:objc_sel_close] ; @selector(close) XREF=0x2f53
0000000000002f61 4889DF                          mov        rdi, rbx
0000000000002f64 5B                              pop        rbx
0000000000002f65 415E                            pop        r14
0000000000002f67 5D                              pop        rbp
0000000000002f68 FF25FA100100                    jmp        qword [ds:imp___got__objc_msgSend]

Similarly, we avoid incrementing the trial count: 

                                            methImpl_AFRegistrationManager_incrementTrial:
000000000000577e 55                              push       rbp
...
00000000000057d4 E925000000                      jmp        0x57FE
00000000000057d9 7523                            jne        0x57FE
00000000000057db 488B05C6490100                  mov        rax, qword [ds:_OBJC_IVAR_$_AFRegistrationManager.delegate]
00000000000057e2 488B3C03                        mov        rdi, qword [ds:rbx+rax]
00000000000057e6 488B1553240100                  mov        rdx, qword [ds:objc_sel_registrationExpired] ; @selector(registrationExpired)
00000000000057ed 488D359C2A0100                  lea        rsi, qword [ds:objc_msg_respondsToSelector_] ; @selector(respondsToSelector:)
00000000000057f4 FF15962A0100                    call       qword [ds:objc_msg_respondsToSelector_] ; @selector(respondsToSelector:)
00000000000057fa 84C0                            test       al, al
00000000000057fc 750B                            jne        0x5809
00000000000057fe 4883C408                        add        rsp, 0x8                      ; XREF=0x57d4, 0x57d9
0000000000005802 5B                              pop        rbx
0000000000005803 415E                            pop        r14
0000000000005805 415F                            pop        r15
0000000000005807 5D                              pop        rbp
0000000000005808 C3                              ret

Finally, we set the application to never expire: 

                                            methImpl_AFRegistrationManager_isTrialExpired:
0000000000004728 55                              push       rbp
0000000000004729 4889E5                          mov        rbp, rsp
000000000000472c 4156                            push       r14
000000000000472e 53                              push       rbx
000000000000472f 4889FB                          mov        rbx, rdi
0000000000004732 488B05775A0100                  mov        rax, qword [ds:_OBJC_IVAR_$_AFRegistrationManager.configuration]
0000000000004739 488B3C03                        mov        rdi, qword [ds:rbx+rax]
000000000000473d 488B35F4330100                  mov        rsi, qword [ds:objc_sel_expirationDate] ; @selector(expirationDate)
0000000000004744 FF151EF90000                    call       qword [ds:imp___got__objc_msgSend]
000000000000474a 30C9                            xor        cl, cl
000000000000474c 4885C0                          test       rax, rax
000000000000474f E945000000                      jmp        0x4799
...
0000000000004799 0FB6C1                          movzx      eax, cl                       ; XREF=0x474f, 0x4795
000000000000479c 5B                              pop        rbx
000000000000479d 415E                            pop        r14
000000000000479f 5D                              pop        rbp
00000000000047a0 C3                              ret
cracks/grappler.txt ยท Last modified: 2022/04/19 08:28 by 127.0.0.1
You are here: start / cracks / grappler

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.