Shortnote

Applestore applications check for a certificate found in MASReceipt in order to test whether the application has been bought on the current machine.

Previously, this check has been circumvented by downloading a free application from the app store and then copying the receipt file into the MASReceipt folder of the application to be nulled. This method is not good enough because it still contains a receipt file which may cause problems with application updates, for example, stuck AppStore badge.

For the named app (photosweeper) the subroutine at 0x100002f63 takes care of reading the file and refusing to start if the file is not present or valid.

0000000100002fc8 488D1561E10F00                  lea        rdx, qword [ds:cfstring_Contents__MASReceipt_receipt] ; @"Contents/_MASReceipt/receipt"
0000000100002fcf 488B35EA420F00                  mov        rsi, qword [ds:objc_sel_stringByAppendingPathComponent_] ; @selector(stringByAppendingPathComponent:)
0000000100002fd6 4889C7                          mov        rdi, rax
0000000100002fd9 FFD3                            call       rbx

The check is easily bypassed by jumping over the entire subroutine:

                                            sub_100002f63:
0000000100002f63 55                              push       rbp                           ; XREF=0x10000135f
0000000100002f64 4889E5                          mov        rbp, rsp
0000000100002f67 4157                            push       r15
0000000100002f69 4156                            push       r14
0000000100002f6b 4155                            push       r13
0000000100002f6d 4154                            push       r12
0000000100002f6f 53                              push       rbx
0000000100002f70 4883EC78                        sub        rsp, 0x78
0000000100002f74 E902070000                      jmp        0x10000367B

which leads to the end of the subroutine:

000000010000367b 488B35663D0F00                  mov        rsi, qword [ds:objc_sel_drain] ; @selector(drain) XREF=0x100002f74
0000000100003682 488B7D80                        mov        rdi, qword [ss:rbp+0xFFFFFFFFFFFFFF80]
0000000100003686 FF1544FD0C00                    call       qword [ds:imp___got__objc_msgSend]
000000010000368c 8BBD74FFFFFF                    mov        edi, dword [ss:rbp+0xFFFFFFFFFFFFFF74]
0000000100003692 488BB568FFFFFF                  mov        rsi, qword [ss:rbp+0xFFFFFFFFFFFFFF68]
0000000100003699 E8BC8C0800                      call       imp___stubs__NSApplicationMain
000000010000369e 4883C478                        add        rsp, 0x78
00000001000036a2 5B                              pop        rbx
00000001000036a3 415C                            pop        r12
00000001000036a5 415D                            pop        r13
00000001000036a7 415E                            pop        r14
00000001000036a9 415F                            pop        r15
00000001000036ab 5D                              pop        rbp
00000001000036ac C3                              ret        

cracks/photosweeper.txt ยท Last modified: 2017/02/22 18:30 (external edit)

Access website using Tor


For the copyright, license, warranty and privacy terms for the usage of this website please see the license and privacy pages.