Monodraw is an OSX ascii / UTF-8 editor meant for drawing diagrams and other graphics. The application has a standard protection where a trial is given for a number of days after which the application requires registration. As performed previously, this tutorial will crack the application and turn it into a never-ending trial.
Perhaps this application is the easiest to trick. Even though in the past we have turned trial applications into applications that never expire, Monodraw is much easier to attack due to the
MonodrawIsRegistered method that performs the following operations in order:
1and the method terminates.
This can be observed at the top of
_HTMonodrawIsRegistered: 000000010002d591 push rbp ; XREF=+[HTLicenseRegistrationWindowController registerWithSerialNumber:window:completionBlock:]+60, -[HTLicenseRegistrationWindowController showRegistrationWindowWithSerialNumber:]+29, -[HTWelcomeWindowController internal_updatePromoButtonVisibility]+23, -[HTTrialController internal_needsTimer]+4, -[HTTrialController internal_isAllowedToRunApp]+9, -[HTMonodrawAppDelegate handleURLEvent:withReplyEvent:]+334, -[HTMonodrawAppDelegate applicationDidFinishLaunching:]+68 000000010002d592 mov rbp, rsp 000000010002d595 push r15 000000010002d597 push r14 000000010002d599 push r13 000000010002d59b push r12 000000010002d59d push rbx ... 000000010002d613 mov rdi, r14 000000010002d616 call r13 000000010002d619 test bl, bl 000000010002d61b je 0x10002d628 ; the next section sets the flag that indicates that the application is registered 000000010002d61d mov al, 0x1 000000010002d61f test r15b, r15b 000000010002d622 jne 0x10002d7ea
The very last code-block will set the flag through the
mov al, 0x1 instruction such that the
je must be eliminated using
nop instructions to ensure that the
mov al, 0x1 instruction is executed. Furthermore, the
jne, if successful, will lead to the method termination - which is what we want, such that we replace the unconditional jump
jne with a
jmp to the same address:
000000010002d609 call _HTMonodrawDecodeLicense 000000010002d60e mov ebx, eax 000000010002d610 mov r15b, byte [ds:r15] 000000010002d613 mov rdi, r14 000000010002d616 call r13 000000010002d619 test bl, bl 000000010002d61b nop 000000010002d61c nop 000000010002d61d mov al, 0x1 000000010002d61f test r15b, r15b 000000010002d622 jmp 0x10002d7ea 000000010002d627 nop
The application is now registered, will never expire and it additionally will not care that it is not code-signed - as usual, there is just so much cryptography can do. :-)