Latexian is a small text-editor that allows live previews of LaTeX documents. The protection is easy to defeat and the developers seem to have gone at great lengths to include a small database of pirated serials, when, in fact, Latexian can be defeated simply by attacking the isLicensed method.
The isLicensed method seems to be a typical return true if licensed function. There are several protections there that eventually leads to returning the contents of the register cl. This can be seen around address 0x10002ee4e.
We rewire this function by first noping the jne at 0x10003edc2 so that the 0x1 value gets moved to the cl register regardless of the outcome of the function isAppStoreVersion:
000000010002edc2 90 nop 000000010002edc3 90 nop 000000010002edc4 30C0 xor al, al 000000010002edc6 E87CF30800 call sub_1000be147 000000010002edcb B101 mov cl, 0x1 000000010002edcd 84C0 test al, al 000000010002edcf E97A000000 jmp 0x10002EE4E
At this point (as shown in this example), we replace the jne at 0x10002edcf with a jmp directly to:
000000010002ee4e 0FB6C1 movzx eax, cl ; XREF=0x10002edcf, 0x10002edef, 0x10002edfc, 0x10002ee4a 000000010002ee51 5B pop rbx 000000010002ee52 415E pop r14 000000010002ee54 5D pop rbp 000000010002ee55 C3 ret
which returns the value 1 so that the program believes that it has been already registered.
A complete overview of the result can be seen below:
methImpl_PurchaseController_isLicensed: 000000010002eda2 55 push rbp 000000010002eda3 4889E5 mov rbp, rsp 000000010002eda6 4156 push r14 000000010002eda8 53 push rbx 000000010002eda9 4889FB mov rbx, rdi 000000010002edac 488B35053A1100 mov rsi, qword [ds:objc_sel_isAppStoreVersion] ; @selector(isAppStoreVersion) 000000010002edb3 488B3D8E7B1100 mov rdi, qword [ds:0x100146948] 000000010002edba FF1568250E00 call qword [ds:imp___got__objc_msgSend] 000000010002edc0 84C0 test al, al 000000010002edc2 90 nop 000000010002edc3 90 nop 000000010002edc4 30C0 xor al, al 000000010002edc6 E87CF30800 call sub_1000be147 000000010002edcb B101 mov cl, 0x1 000000010002edcd 84C0 test al, al 000000010002edcf E97A000000 jmp 0x10002EE4E 000000010002edd4 90 nop 000000010002edd5 90 nop ... 000000010002ee4e 0FB6C1 movzx eax, cl ; XREF=0x10002edcf, 0x10002edef, 0x10002edfc, 0x10002ee4a 000000010002ee51 5B pop rbx 000000010002ee52 415E pop r14 000000010002ee54 5D pop rbp 000000010002ee55 C3 ret