You are here: start / cracks / snapzprox

Shortnote

Snapz Pro X is a marvelous application as an alternative OSX application to fraps. The older version you will find around included a license by David Polis that worked with version of Snapz Pro X previous to 2.2.3. The new version includes a modal window that locks the user in an endless loop and seemingly unable to exit.

GDB

Since this one is a little more mean, we load up the Snapz Pro X binary in GDB and perform a backtrace after stepping once into the assembly: 

(gdb) start
Function "main" not defined.
Make breakpoint pending on future shared library load? (y or [n]) 
Starting program: /Applications/Snapz Pro X/Snapz Pro X.app/Contents/MacOS/Snapz Pro X 
Reading symbols for shared libraries . done

At this point we get a modal window that does not go away so we send SIGKILL to the Snapz Pro X process in order to detach GDB. 

Program received signal SIGKILL, Killed.
0x92635afa in mach_msg_trap ()
(gdb)

Now we run the backtrace to see where that SIGKILL signal was received by Snapz Pro X: 

(gdb) bt
#0  0x92635afa in mach_msg_trap ()
#1  0x92636267 in mach_msg ()
#2  0x9014c2df in __CFRunLoopRun ()
#3  0x9014b3c4 in CFRunLoopRunSpecific ()
#4  0x9014b1f1 in CFRunLoopRunInMode ()
#5  0x99e53e04 in RunCurrentEventLoopInMode ()
#6  0x99e53bb9 in ReceiveNextEventCommon ()
#7  0x99fdc084 in _AcquireNextEvent ()
#8  0x99fd2181 in _RunAppModalLoop ()
#9  0x99fd25a5 in RunAppModalLoopForWindow ()
#10 0x0000bdae in ?? ()
#11 0x00002b39 in ?? ()
#12 0x00002a68 in ?? ()

Right, so this seems pretty clear, Snapz Pro X seems stuck in an endless loop with a modal window showing. This is exactly the behavior that we have noticed previously.

We disassemble the binary and search for that modal window with something that looks like a loop. Around address 0xbd3d we find the following loop: 

                                       ; Basic Block Input Regs: ebp -  Killed Regs: eax ecx edx esi
0000bd3d 8BB530FEFFFF                    mov        esi, dword [ss:ebp-0x208+var_56]      ; XREF=0xbdd5
0000bd43 8D0CDD00000000                  lea        ecx, dword [ds:0x0+ebx*8]
0000bd4a 8B9524FEFFFF                    mov        edx, dword [ss:ebp-0x208+var_44]
0000bd50 8B8520FEFFFF                    mov        eax, dword [ss:ebp-0x208+var_40]
0000bd56 33840D78FEFFFF                  xor        eax, dword [ss:ebp+ecx-0x208+var_128]
0000bd5d 33540E04                        xor        edx, dword [ds:esi+ecx+0x4]
0000bd61 2578EFDFFB                      and        eax, 0xFBDFEF78
0000bd66 81E2F7FEBD07                    and        edx, 0x7BDFEF7
0000bd6c 89D1                            mov        ecx, edx
0000bd6e 09C1                            or         ecx, eax
0000bd70 7559                            jne        0xBDCB
                                       ; Basic Block Input Regs: ebp -  Killed Regs: eax ecx edx esp esi
0000bd72 8B15B8E20500                    mov        edx, dword [ds:0x5E2B8]
0000bd78 8BB570FEFFFF                    mov        esi, dword [ss:ebp-0x208+var_120]
0000bd7e 8B02                            mov        eax, dword [ds:edx]
0000bd80 89352CE00500                    mov        dword [ds:0x5E02C], esi
0000bd86 890424                          mov        dword [ss:esp], eax
0000bd89 E863F40900                      call       imp___jump_table__ShowWindow
0000bd8e 8B0DB8E20500                    mov        ecx, dword [ds:0x5E2B8]
0000bd94 8B01                            mov        eax, dword [ds:ecx]
0000bd96 890424                          mov        dword [ss:esp], eax
0000bd99 E881F30900                      call       imp___jump_table__SelectWindow
0000bd9e 8B35B8E20500                    mov        esi, dword [ds:0x5E2B8]
0000bda4 8B06                            mov        eax, dword [ds:esi]
0000bda6 890424                          mov        dword [ss:esp], eax
0000bda9 E8FEF20900                      call       imp___jump_table__RunAppModalLoopForWindow
0000bdae C7042401000000                  mov        dword [ss:esp], 0x1
0000bdb5 E864F40900                      call       imp___jump_table__SysBeep
0000bdba C70424D0070000                  mov        dword [ss:esp], 0x7D0
0000bdc1 E85DF40900                      call       imp___jump_table__SystemWait
0000bdc6 E856EC0900                      call       imp___jump_table__ExitToShell
                                       ; Basic Block Input Regs: <nothing> -  Killed Regs: ebx ebp
0000bdcb 43                              inc        ebx                                   ; XREF=0xbd70
0000bdcc FF8570FEFFFF                    inc        dword [ss:ebp-0x208+var_120]
0000bdd2 83FB28                          cmp        ebx, 0x28
0000bdd5 0F8562FFFFFF                    jne        0xBD3D

In the body, we have the RunAppModalLoopForWindow call, then at the end we find jne 0xBD3D which brings us back to 0xBD3D at the start, before the modal window call.

We also find at 0xbd70 a jne over the RunAppModalLoopForWindow which looks interesting becuse if that jump succeeds then the window call never occurs. Thus, we change the jne into a jmp: 

0000bd3d 8BB530FEFFFF                    mov        esi, dword [ss:ebp+0xFFFFFFFFFFFFFE30] ; XREF=0xbdd5
0000bd43 8D0CDD00000000                  lea        ecx, dword [ds:0x0+ebx*8]
0000bd4a 8B9524FEFFFF                    mov        edx, dword [ss:ebp+0xFFFFFFFFFFFFFE24]
0000bd50 8B8520FEFFFF                    mov        eax, dword [ss:ebp+0xFFFFFFFFFFFFFE20]
0000bd56 33840D78FEFFFF                  xor        eax, dword [ss:ebp+ecx+0xFFFFFFFFFFFFFE78]
0000bd5d 33540E04                        xor        edx, dword [ds:esi+ecx+0x4]
0000bd61 2578EFDFFB                      and        eax, 0xFBDFEF78
0000bd66 81E2F7FEBD07                    and        edx, 0x7BDFEF7
0000bd6c 89D1                            mov        ecx, edx
0000bd6e 09C1                            or         ecx, eax
0000bd70 E956000000                      jmp        0xBDCB
0000bd75 90                              nop        
0000bd76 90                              nop        
0000bd77 90                              nop

After that, when we run Snapz Pro X, we get no window modal and the application loads just fine. Enjoy your 2.3.3.

cracks/snapzprox.txt ยท Last modified: 2022/04/19 08:28 by 127.0.0.1
You are here: start / cracks / snapzprox

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.