Shortnote

Latexian is a small text-editor that allows live previews of LaTeX documents. The protection is easy to defeat and the developers seem to have gone at great lengths to include a small database of pirated serials, when, in fact, Latexian can be defeated simply by attacking the isLicensed method.

The isLicensed method seems to be a typical return true if licensed function. There are several protections there that eventually leads to returning the contents of the register cl. This can be seen around address 0x10002ee4e.

We rewire this function by first noping the jne at 0x10003edc2 so that the 0x1 value gets moved to the cl register regardless of the outcome of the function isAppStoreVersion:

000000010002edc2 90                              nop        
000000010002edc3 90                              nop        
000000010002edc4 30C0                            xor        al, al
000000010002edc6 E87CF30800                      call       sub_1000be147
000000010002edcb B101                            mov        cl, 0x1
000000010002edcd 84C0                            test       al, al
000000010002edcf E97A000000                      jmp        0x10002EE4E

At this point (as shown in this example), we replace the jne at 0x10002edcf with a jmp directly to:

000000010002ee4e 0FB6C1                          movzx      eax, cl                       ; XREF=0x10002edcf, 0x10002edef, 0x10002edfc, 0x10002ee4a
000000010002ee51 5B                              pop        rbx
000000010002ee52 415E                            pop        r14
000000010002ee54 5D                              pop        rbp
000000010002ee55 C3                              ret        

which returns the value 1 so that the program believes that it has been already registered.

A complete overview of the result can be seen below:

                                            methImpl_PurchaseController_isLicensed:
000000010002eda2 55                              push       rbp
000000010002eda3 4889E5                          mov        rbp, rsp
000000010002eda6 4156                            push       r14
000000010002eda8 53                              push       rbx
000000010002eda9 4889FB                          mov        rbx, rdi
000000010002edac 488B35053A1100                  mov        rsi, qword [ds:objc_sel_isAppStoreVersion] ; @selector(isAppStoreVersion)
000000010002edb3 488B3D8E7B1100                  mov        rdi, qword [ds:0x100146948]
000000010002edba FF1568250E00                    call       qword [ds:imp___got__objc_msgSend]
000000010002edc0 84C0                            test       al, al
000000010002edc2 90                              nop        
000000010002edc3 90                              nop        
000000010002edc4 30C0                            xor        al, al
000000010002edc6 E87CF30800                      call       sub_1000be147
000000010002edcb B101                            mov        cl, 0x1
000000010002edcd 84C0                            test       al, al
000000010002edcf E97A000000                      jmp        0x10002EE4E
000000010002edd4 90                              nop        
000000010002edd5 90                              nop        
...
000000010002ee4e 0FB6C1                          movzx      eax, cl                       ; XREF=0x10002edcf, 0x10002edef, 0x10002edfc, 0x10002ee4a
000000010002ee51 5B                              pop        rbx
000000010002ee52 415E                            pop        r14
000000010002ee54 5D                              pop        rbp
000000010002ee55 C3                              ret        

cracks/latexian.txt ยท Last modified: 2017/02/22 18:30 (external edit)

Access website using Tor


For the copyright, license, warranty and privacy terms for the usage of this website please see the license and privacy pages.