Table of Contents

Shortnote

Zooom/2 is an application that brings sloppy focus to the Mac from Linux. It is a moderately decent application and the protections are easy to defeat. The application was uninstalled after it was cracked because it does not solve some problems that are inherited from the OSX window manager: for example, even tooltips seem to slide under the window when sloppy focus is activated.

Eliminate the Red Text

The red nag text that appears on all tabs can be eliminated in the following method, by noping the first je and then letting the function jump to 0x100015983:

                                             methImpl_RegistrationController_updateTrialPeriodWindow_shouldShowDialog_:
000000010001589b 55                              push       rbp
000000010001589c 4889E5                          mov        rbp, rsp
000000010001589f 48895DE8                        mov        qword [ss:rbp+0xFFFFFFFFFFFFFFE8], rbx
00000001000158a3 4C8965F0                        mov        qword [ss:rbp+0xFFFFFFFFFFFFFFF0], r12
00000001000158a7 4C896DF8                        mov        qword [ss:rbp+0xFFFFFFFFFFFFFFF8], r13
00000001000158ab 4883EC20                        sub        rsp, 0x20
00000001000158af 4989FD                          mov        r13, rdi
00000001000158b2 84D2                            test       dl, dl
00000001000158b4 90                              nop        
00000001000158b5 90                              nop        
00000001000158b6 488B058B900A00                  mov        rax, qword [ds:_OBJC_IVAR_$_RegistrationController._trialDaysLeftOnRegistrationTab]
00000001000158bd 488B3C07                        mov        rdi, qword [ds:rdi+rax]
00000001000158c1 BA01000000                      mov        edx, 0x1
00000001000158c6 E9B8000000                      jmp        0x100015983

Disable the Nag Window

To disable the nag windows, the showNagNow and setShowNagNow methods can be wired to not do anything:

                                            methImpl_StartupSequenceController_showNagNow:
00000001000437f9 55                              push       rbp
00000001000437fa 4889E5                          mov        rbp, rsp
00000001000437fd E906000000                      jmp        0x100043808
0000000100043802 90                              nop        
0000000100043803 90                              nop        
0000000100043804 0FB60407                        movzx      eax, byte [ds:rdi+rax]
0000000100043808 C9                              leave                                    ; XREF=0x1000437fd
0000000100043809 C3                              ret        
                                            methImpl_StartupSequenceController_setShowNagNow_:
000000010004380a 55                              push       rbp
000000010004380b 4889E5                          mov        rbp, rsp
000000010004380e E905000000                      jmp        0x100043818
0000000100043813 90                              nop        
0000000100043814 90                              nop        
0000000100043815 881407                          mov        byte [ds:rdi+rax], dl
0000000100043818 C9                              leave                                    ; XREF=0x10004380e
0000000100043819 C3                              ret               

For extra protection (and perhaps a slight performance enhancement), we can also cancel out any rescheduling of showing the nag window:

                                            methImpl_StartupSequenceController_rescheduleNaggingWindow_:
0000000100043615 55                              push       rbp
0000000100043616 4889E5                          mov        rbp, rsp
0000000100043619 53                              push       rbx
000000010004361a 4883EC08                        sub        rsp, 0x8
000000010004361e 4889FB                          mov        rbx, rdi
...
000000010004364b E934000000                      jmp        0x100043684
0000000100043650 90                              nop        
0000000100043651 90                              nop        
0000000100043652 90                              nop        
0000000100043653 90                              nop        
...
0000000100043684 4883C408                        add        rsp, 0x8                      ; XREF=0x10004364b, 0x100043677
0000000100043688 5B                              pop        rbx
0000000100043689 C9                              leave      
000000010004368a C3                              ret        

Remove Buy now Nag Text

The "Buy now…" hyperlink on the bottom right is activated in the method performLicenseValidation by a backward jmp in the function to the section responsible for showing the "Buy Zooom/2 Now" text:

                                            methImpl_RegistrationController_performLicenseValidation_showDialog_:
00000001000159a1 55                              push       rbp
...
0000000100015aa4 488D15F5BA0900                  lea        rdx, qword [ds:cfstring_Buy_Zooom_2_Now] ; @"Buy Zooom/2 Now"
...
                                       ; Basic Block Input Regs: <nothing> -  Killed Regs: <nothing>
0000000100015da2 E9ABFCFFFF                      jmp        0x100015A52

To defeat this, we simply eliminate the backward jump:

0000000100015da2 90                              nop        
0000000100015da3 90                              nop        
0000000100015da4 90                              nop        
0000000100015da5 90                              nop        
0000000100015da6 90                              nop        

That's it for Zooom/2 2.5.0.