Table of Contents
About
DaisyDisk is a program that scans an OSX harddrive and conveniently displays the occupied space so that users can pick-out what is eating their harddrive space.
The trial limitation includes:
- nag-screens
- nasty button on the window pane that says "test drive".
- disabling the deletion of collected files.
So, we take DaisyDisk for a test drive and break the protections.
Nag Screens
The nag screens are easily disabled by crippling the TrialNagWindowController:
methImpl_TrialNagWindowController_init: 00000001000ae52c 55 push rbp 00000001000ae52d 4889E5 mov rbp, rsp 00000001000ae530 4883EC10 sub rsp, 0x10 00000001000ae534 E921000000 jmp 0x1000ae55a 00000001000ae539 90 nop 00000001000ae53a 90 nop 00000001000ae53b 90 nop 00000001000ae53c 90 nop 00000001000ae53d 90 nop 00000001000ae53e 90 nop 00000001000ae53f 488945F8 mov qword [ss:rbp+0xfffffffffffffff8], rax 00000001000ae543 488B358E3F0A00 mov rsi, qword [ds:objc_sel_initWithNibName_] ; @selector(initWithNibName:) 00000001000ae54a 488D7DF0 lea rdi, qword [ss:rbp+0xfffffffffffffff0] 00000001000ae54e 488D1533660B00 lea rdx, qword [ds:cfstring_TrialNagWindow] ; @"TrialNagWindow" 00000001000ae555 E876610100 call imp___stubs__objc_msgSendSuper2 00000001000ae55a 4883C410 add rsp, 0x10 ; XREF=0x1000ae534 00000001000ae55e 5D pop rbp 00000001000ae55f C3 ret
Nag Button
To eliminate the nag button, we nop the je around 0x0100029829:
0000000100029822 4584ED test r13L, r13L ; case 0 XREF=0x100029725, 0x100029748, 0x10002978a, 0x1000297be, 0x100029772 0000000100029825 488B5DC8 mov rbx, qword [ss:rbp+0xffffffffffffffc8] 0000000100029829 90 nop 000000010002982a 90 nop 000000010002982b 488B357E641200 mov rsi, qword [ds:objc_sel_hideTitleButton] ; @selector(hideTitleButton) 0000000100029832 4C8B35D7BB0E00 mov r14, qword [ds:imp___got__objc_msgSend] 0000000100029839 4889DF mov rdi, rbx 000000010002983c 41FFD6 call r14 000000010002983f 488B3572641200 mov rsi, qword [ds:objc_sel_exitAllNagScreens] ; @selector(exitAllNagScreens) 0000000100029846 4889DF mov rdi, rbx 0000000100029849 41FFD6 call r14 000000010002984c 488B05352B1300 mov rax, qword [ds:0x10015c388] 0000000100029853 488B3C03 mov rdi, qword [ds:rbx+rax] 0000000100029857 488B3562641200 mov rsi, qword [ds:objc_sel_setWatermarkVisible_] ; @selector(setWatermarkVisible:) 000000010002985e 31D2 xor edx, edx 0000000100029860 41FFD6 call r14 0000000100029863 488B052E2B1300 mov rax, qword [ds:0x10015c398] 000000010002986a 488B3C03 mov rdi, qword [ds:rbx+rax] 000000010002986e 488B354B641200 mov rsi, qword [ds:objc_sel_setWatermarkVisible_] ; @selector(setWatermarkVisible:) 0000000100029875 31D2 xor edx, edx 0000000100029877 41FFD6 call r14 000000010002987a 488B05572B1300 mov rax, qword [ds:0x10015c3d8] 0000000100029881 488B3C03 mov rdi, qword [ds:rbx+rax] 0000000100029885 488B356C4F1200 mov rsi, qword [ds:objc_sel_setHidden_] ; @selector(setHidden:) 000000010002988c BA01000000 mov edx, 0x1 0000000100029891 EB66 jmp 0x1000298f9 0000000100029893 488B352E641200 mov rsi, qword [ds:objc_sel_showBuyNowButton_] ; @selector(showBuyNowButton:) XREF=0x100029829
| Before | After |
|---|---|
 |  |
The result can be seen in the images above.
Enabling Deletion
Deleting files is disabled in the trial version, however this can easily be circumvented by jumping over the license key verification procedure and other intermediary steps:
methImpl_SourceController_beginExecution: 00000001000841df 55 push rbp 00000001000841e0 4889E5 mov rbp, rsp 00000001000841e3 4157 push r15 00000001000841e5 4156 push r14 00000001000841e7 4155 push r13 00000001000841e9 4154 push r12 00000001000841eb 53 push rbx 00000001000841ec 4881ECB8010000 sub rsp, 0x1b8 00000001000841f3 4889B540FEFFFF mov qword [ss:rbp+0xfffffffffffffe40], rsi 00000001000841fa 4989FD mov r13, rdi 00000001000841fd 488B057C100900 mov rax, qword [ds:imp___got____stack_chk_guard] 0000000100084204 488B00 mov rax, qword [ds:rax] 0000000100084207 488945D0 mov qword [ss:rbp+0xffffffffffffffd0], rax 000000010008420b 488B352EC60C00 mov rsi, qword [ds:objc_sel_isScanning] ; @selector(isScanning) 0000000100084212 4C89EF mov rdi, r13 0000000100084215 FF15F5110900 call qword [ds:imp___got__objc_msgSend] 000000010008421b 84C0 test al, al 000000010008421d 0F850D0B0000 jne 0x100084d30 0000000100084223 488B3516BB0C00 mov rsi, qword [ds:objc_sel_isCountingDown] ; @selector(isCountingDown) 000000010008422a 4C89EF mov rdi, r13 000000010008422d FF15DD110900 call qword [ds:imp___got__objc_msgSend] 0000000100084233 84C0 test al, al 0000000100084235 0F85F50A0000 jne 0x100084d30 000000010008423b 488B3506BB0C00 mov rsi, qword [ds:objc_sel_isExecuting] ; @selector(isExecuting) 0000000100084242 4C89EF mov rdi, r13 0000000100084245 FF15C5110900 call qword [ds:imp___got__objc_msgSend] 000000010008424b 84C0 test al, al 000000010008424d 0F85DD0A0000 jne 0x100084d30 0000000100084253 488B352EA80C00 mov rsi, qword [ds:objc_sel_licenseKeyFromDisk] ; @selector(licenseKeyFromDisk) 000000010008425a 488B3D2FED0C00 mov rdi, qword [ds:objc_classref_LicenseKey] 0000000100084261 FF15A9110900 call qword [ds:imp___got__objc_msgSend] 0000000100084267 4530F6 xor r14L, r14L 000000010008426a 4885C0 test rax, rax 000000010008426d E9B8080000 jmp 0x100084b2a 0000000100084272 90 nop ... 0000000100084b2a 488B05A7880D00 mov rax, qword [ds:0x10015d3d8] ; XREF=0x100084a25, 0x100084a72, 0x100084aa3, 0x10008426d 0000000100084b31 49C744050000000000 mov qword [ds:r13+rax+0x0], 0x0 0000000100084b3a 488B059F880D00 mov rax, qword [ds:0x10015d3e0] 0000000100084b41 41C644050000 mov byte [ds:r13+rax+0x0], 0x0 0000000100084b47 488B0582880D00 mov rax, qword [ds:0x10015d3d0] 0000000100084b4e 41C744050000000000 mov dword [ds:r13+rax+0x0], 0x0 0000000100084b57 488B1DB2080900 mov rbx, qword [ds:imp___got__objc_msgSend] 0000000100084b5e 488B05C3870D00 mov rax, qword [ds:0x10015d328] 0000000100084b65 498B7C0500 mov rdi, qword [ds:r13+rax+0x0] 0000000100084b6a 488B3527D00C00 mov rsi, qword [ds:objc_sel_executionDidBegin] ; @selector(executionDidBegin) ...
At 0x10008426d, we jump over the protections and proceed with the deletion.
That's it for DaisyDisk 2.1.2.