Shortnote
Alfred is a great replacement for spotlight that allows custom extensions. We have previously used this to synchronize screensavers between Macs. The powerpack can be bought from Alfred's website and we wondered whether the security can be somehow circumvented.
Disassembling Alfred, it turns out the Alfred uses one method that references several other sub-routines in succession:
====== B E G I N O F P R O C E D U R E ======
; Basic Block Input Regs: rax rsp - Killed Regs: rax rbp
_isPStatusA5wq_100032cd0:
0000000100032cd0 55 push rbp ; XREF=0x100001c02, 0x100003105, 0x1000031d2, 0x10000333e, 0x100005085, 0x1000056a0, ...
0000000100032cd1 4889E5 mov rbp, rsp
0000000100032cd4 30C0 xor al, al
0000000100032cd6 E8C5BC0100 call _Rac38kHnAC_10004e9a0
0000000100032cdb 0FBEC0 movsx eax, al
0000000100032cde 5D pop rbp
0000000100032cdf C3 ret
; endp
The easy method is to return a positive result from this method so that every time the powerpack status is checked, the result will be true.
Otherwise, if you are unwilling to recode the _isPStatusA5wq_100032cd0 method, one can simply follow the logic where this method is called. There are two variants of calls throughout the program:
000000010000aa79 E852820200 call _isPStatusA5wq_100032cd0 000000010000aa7e 84C0 test al, al 000000010000aa80 jne ; some address
and
000000010000aa79 E852820200 call _isPStatusA5wq_100032cd0 000000010000aa7e 84C0 test al, al 000000010000aa80 je ; some address
In both cases, the jne should be changed into a jmp to the address and the je should be transformed into a nop sledge down to the rest of the instructions. This is laborious since there are many references to _isPStatusA5wq_100032cd0.
