Table of Contents

About

Monodraw is an OSX ascii / UTF-8 editor meant for drawing diagrams and other graphics. The application has a standard protection where a trial is given for a number of days after which the application requires registration. As performed previously, this tutorial will crack the application and turn it into a never-ending trial.

Making the Application Registered

Perhaps this application is the easiest to trick. Even though in the past we have turned trial applications into applications that never expire, Monodraw is much easier to attack due to the MonodrawIsRegistered method that performs the following operations in order:

This can be observed at the top of MonodrawIsRegistered:

                     _HTMonodrawIsRegistered:
000000010002d591         push       rbp                                         ; XREF=+[HTLicenseRegistrationWindowController registerWithSerialNumber:window:completionBlock:]+60, -[HTLicenseRegistrationWindowController showRegistrationWindowWithSerialNumber:]+29, -[HTWelcomeWindowController internal_updatePromoButtonVisibility]+23, -[HTTrialController internal_needsTimer]+4, -[HTTrialController internal_isAllowedToRunApp]+9, -[HTMonodrawAppDelegate handleURLEvent:withReplyEvent:]+334, -[HTMonodrawAppDelegate applicationDidFinishLaunching:]+68
000000010002d592         mov        rbp, rsp
000000010002d595         push       r15
000000010002d597         push       r14
000000010002d599         push       r13
000000010002d59b         push       r12
000000010002d59d         push       rbx
...
000000010002d613         mov        rdi, r14
000000010002d616         call       r13
000000010002d619         test       bl, bl
000000010002d61b         je         0x10002d628
; the next section sets the flag that indicates that the application is registered
000000010002d61d         mov        al, 0x1
000000010002d61f         test       r15b, r15b
000000010002d622         jne        0x10002d7ea

The very last code-block will set the flag through the mov al, 0x1 instruction such that the je must be eliminated using nop instructions to ensure that the mov al, 0x1 instruction is executed. Furthermore, the jne, if successful, will lead to the method termination - which is what we want, such that we replace the unconditional jump jne with a jmp to the same address:

000000010002d609         call       _HTMonodrawDecodeLicense
000000010002d60e         mov        ebx, eax
000000010002d610         mov        r15b, byte [ds:r15]
000000010002d613         mov        rdi, r14
000000010002d616         call       r13
000000010002d619         test       bl, bl
000000010002d61b         nop        
000000010002d61c         nop        
000000010002d61d         mov        al, 0x1
000000010002d61f         test       r15b, r15b
000000010002d622         jmp        0x10002d7ea
000000010002d627         nop        

The application is now registered, will never expire and it additionally will not care that it is not code-signed - as usual, there is just so much cryptography can do. :-)

Index