Table of Contents

Shortnote

Acorn is a graphics drawing program (we're not even sure what we should say about it because Gimp is free and is more feature packed and if you really want to pay, you could just save up and buy PhotoShop) for babies. The trial is a fully functional demo with the following protections and annoyances:

We can remove all these annoyances and turn the application into a fully registered application.

Registration Preference Button

The registration preference button can be eliminating by simply noping the _FMAddToolbarItem call at 0x1000c4e9a:

0000001000c4e86 488D354B732700                  lea        rsi, qword [ds:cfstring_Registration] ; @"Registration"
00000001000c4e8d 4C89F2                          mov        rdx, r14
00000001000c4e90 4C89F1                          mov        rcx, r14
00000001000c4e93 4C8B45B0                        mov        r8, qword [ss:rbp-0x70+var_32]
00000001000c4e97 4531C9                          xor        r9d, r9d
00000001000c4e9a E88DDB0B00                      call       _FMAddToolbarItem_100182a2c

and replaced with a nop sledge:

00000001000c4e86 488D354B732700                  lea        rsi, qword [ds:cfstring_Registration] ; @"Registration"
00000001000c4e8d 4C89F2                          mov        rdx, r14
00000001000c4e90 4C89F1                          mov        rcx, r14
00000001000c4e93 4C8B45B0                        mov        r8, qword [ss:rbp-0x70+var_32]
00000001000c4e97 4531C9                          xor        r9d, r9d
00000001000c4e9a 90                              nop        
00000001000c4e9b 90                              nop        
00000001000c4e9c 90                              nop        
00000001000c4e9d 90                              nop        
00000001000c4e9e 90                              nop

Purchase Menu

The purchase menu item can be eliminated by noping the insertItem_atIndex call at 0x10000cc0c:

====== B E G I N   O F   P R O C E D U R E ======
 
 
                                       ; Basic Block Input Regs: rdi -  Killed Regs: rax rbx
                                            methImpl_TSAppDelegate_checkPurchaseMenu:
000000010000cb67 55                              push       rbp
...
000000010000cc0c 488B35D5123100                  mov        rsi, qword [ds:objc_sel_insertItem_atIndex_] ; @selector(insertItem:atIndex:)
...

and replaced with the following nop sledge:

000000010000cc0c 90                              nop                                      ; @selector(insertItem:atIndex:)
000000010000cc0d 90                              nop        
000000010000cc0e 90                              nop        
000000010000cc0f 90                              nop        
000000010000cc10 90                              nop        
000000010000cc11 90                              nop        
000000010000cc12 90                              nop

Remove Watermark

The watermark can be eliminated by attacking the objc_sel_drawWatermarkIn_withRect_ call which occurs twice at 0x1000442d4, respectively 0x100158923.

First time in the _drawRect_ method:

 
====== B E G I N   O F   P R O C E D U R E ======
 
 
                                       ; Basic Block Input Regs: rdi -  Killed Regs: r13 r14
                                            methImpl_TSCanvas_drawRect_:
00000001000430ba 55                              push       rbp
...
0000000100044299 757B                            jne        0x100044316

and replaced with a jmp over the entire logic:

0000000100044299 E978000000                      jmp        0x100044316
000000010004429e 90                              nop        
000000010004429f 90                              nop

Second time in newBitmapContextWithFilterResult with a jmp over the call to draw the watermark at the end of the method:

 
====== B E G I N   O F   P R O C E D U R E ======
 
 
                                       ; Basic Block Input Regs: rdi -  Killed Regs: rax rbp rsi rdi r15
                                            methImpl_RSImageFilterWindowController_newBitmapContextWithFilterResult:
000000010015869d 55                              push       rbp
...
000000010015890f 488B3592C41C00                  mov        rsi, qword [ds:objc_sel_demoMode] ; @selector(demoMode)
0000000100158916 488B3DDBDC1C00                  mov        rdi, qword [ds:0x1003265F8]
000000010015891d FFD3                            call       rbx
000000010015891f 84C0                            test       al, al
0000000100158921 7436                            je         0x100158959

the je replaced with:

0000000100158921 E933000000                      jmp        0x100158959
0000000100158926 90                              nop        
0000000100158927 90                              nop        
0000000100158928 90                              nop        
0000000100158929 90                              nop        

That's it for version 3.5. We uninstalled it, the application is pointless… Seriously. Fifty dalla? Really? Heck.