Mac OS X software cracking log 1

I used a software named ringtones to convert music into available ringtones for the iPhone. I was very happy to use it at the beginning. But one day, I played an interface and told me that I couldn't use it anymore, I have a poor understanding of English, but I also understand the limit of 10 ringtones. $12.99 is required for purchase. So I thought about it and tried to crack it.

 

First of all is the search, search for a blog http://www.robinlu.com/blog/archives/92 and then basically according to the gourd painting, but also a little content to share.

 

Open ringtones and let it pop up the page requesting the purchase. Use the Process Manager to view the PID, and then GDB hangs up and use BT

 

(GDB) BT

#0 0x00007fff85c53e3a in mach_msg_trap ()

#1 0x00007fff85c544ad in mach_msg ()

#2 0x00007fff865137a2 in _ cfrunlooprun ()

#3 0x00007fff86512c2f in cfrunlooprunspecpacific ()

#4 0x00007fff806e5a4e in runcurrenteventloopinmode ()

#5 0x00007fff806e5853 in each enexteventcommon ()

#6 0x00007fff806e570c in blockuntilnexteventmatchinglistinmode ()

#7 0x00007fff878461f2 in _ dpsnextevent ()

#8 0x00007fff87845b41 in-[nsapplication nexteventmatchingmask: untildate: inmode: dequeue:] ()

#9 0x00007fff87a80943 in-[nsapplication _ realdomodalloop: peek:] ()

#10 0x00007fff87a7e4cd in-[nsapplication runmodalforwindow:] ()

#11 0x00007fff87a9a349 in _ nxdolocalrunalertpanel ()

#12 0x00007fff87a9aa7a in nsunalertpanel ()

#13 0x000000000004e93 in-[afcreationwindowcontroller sendringtonetoitunes:] ()

#14 0x00007fff8799b09a in-[nsapplication sendaction: To: From:] ()

#15 0x00007fff8799aff9 in-[nscontrol sendaction: to:] ()

#16 0x00007fff87a2655f in-[nscell trackmouse: inrect: ofview: untilmouseup:] ()

#17 0x00007fff87a57072 in-[nsbuttoncell trackmouse: inrect: ofview: untilmouseup:] ()

#18 0x00007fff87a25009 in-[nscontrol mousedown:] ()

#19 0x00007fff8793f68f in-[nswindow sendevent:] ()

#20 0x00007fff87874e22 in-[nsapplication sendevent:] ()

#21 0x00007fff8780b796 in-[nsapplication run] ()

#22 0x00007fff87804468 in nsapplicationmain ()

#23 0x0000000000019e0 in START ()

NS is all system, and the afcreationwindowcontroller sendringtonetoitunes in the middle is obviously the button I clicked, because the button text is "send to iTunes", indicating that after I clicked this button, it played a nsunalertpanel, although I have not done Mac programming, this API name is displayed as a prompt window. For more information, see the code for 0x000000000004e93. Disassemble functions <-[afcreationwindowcontroller sendringtonetoitunes:] + 565>: XOR % eax, % eax0x000000000004e8e <-[afcreationwindowcontroller sendringtonetoitunes:] + 567>: callq 0x100011082 <strong> 0x000000000004e93 <-[afcreationwindowcontroller sendringtonetoitunes:] + 572>: Dec % eax0x000000000004e95 <-[afcreationwindowcontroller sendringtonetoitunes:] + 57 4>: JNE 0x00004ef8 <-[afcreationwindowcontroller sendringtonetoitunes:] + 673> 0x000000000004e97 <-[afcreationwindowcontroller sendringtonetoitunes:] + 576>: mov 0x1805a (% rip ), % RDI # features <-[afcreationwindowcontroller sendringtonetoitunes:] + 583>: Lea 0x166bb (% rip), % RSI # features <-[afcreationwindowcontroller sendringtonetoitunes:] + 590>: callq * 0x166b5 (% rip) # The Code 0x10001b560 is omitted because it is a little long. Here, I want to change the JNE 0x00004ef8 sentence to JE, but the change fails. The prompt "Program received ed signal exc_bad_access" and "cocould not access memory" is displayed, but later I know that it is a method error, this sentence is not correct. As a result, we can see 0x000000000004c98 <-[afcreationwindowcontroller sendringtonetoitunes:] + 65>: mov % rax, % rdi0x000000000004c9b <-[afcreationwindowcontroller sendringtonetoitunes:] + 68>: callq * 0x170df (% rip) # parameters <-[afcreationwindowcontroller sendringtonetoitunes:] + 74>: Test % Al, % al0x000000000004a3 <-[afcreationwindowcontroller sendringtonetoitunes:] + 76>: JNE 0x00004d6f <-[afcreatio Nwindowcontroller sendringtonetoitunes:] + 280> Functions <-[afcreationwindowcontroller sendringtonetoitunes:] + 82>: mov 0x19b50 (% rip), % Rax #0x10001e800 <objc_ivar _ $ _ afcreationwindowcontroller. _ ringtoneeditorviewcontroller> 0x000000000004cb0 <-[afcreationwindowcontroller sendringtonetoitunes:] + 89>: mov (% R14, % rax, 1), % calls <-[afcreationwindowcontroller sendringtonetoitunes :] >: Mov 0x170e5 (% rip), % R13 # 0x10001bda00x000000000004cbb <-[afcreationwindowcontroller sendringtonetoitunes:] + 100>: Lea 0x1704e (% rip ), % RSI # 0x10001bd10jne 0x00004d6f this sentence is too obvious, that is, the call above is checked, jump here, the answer is, change this JNE to JE, check the hexadecimal System (GDB) x/20 h 0x000000000004ca30x00004a3 <-[afcreationwindowcontroller sendringtonetoitunes:] + 76 >:#<-[afcreationwindowcon Troroller sendringtonetoitunes:] + 92>: Handler <-[afcreationwindowcontroller sendringtonetoitunes:] + 108>: 0xf7890x15ff0x7020.x0001 what is 850f? I expected it to be 75, after searching, the 850f is also JNE. What is the difference? I don't care. I can change it to 840f and start to modify it (GDB) set {unsigned char *} 0x000000000004a3 = 0x84 and then continueprogram stored ed signal exc_bad_access. cocould not access memory because it is not familiar, I thought this sentence has changed the memory permission.. But I took a look at the memory. (GDB) X/20 h running <-[afcreationwindowcontroller sendringtonetoitunes:] + 76>: Running <-[afcreationwindowcontroller sendringtonetoitunes:] + 92>: Running <-[afcreationwindowcontroller sendringtonetoitunes:] + 108>: 0xf7890x15ff0x7020.x0001. Set it to 8 bytes, and set it to a-bit system. Now, I don't know what to set, so I don't know how to arrange it for too long. I had to practice it. (GDB) set {unsigned char *} 0x00000004254a3 = running (GDB) X/20 h later <-[afcreationwindowcontroller sendringtonetoitunes:] + 76>: Later <-[afcreationwindowcontroller sendringtonetoitunes:] + 92>: 0x4c060x2d8b0x70e50x00010x8d480x4e350x01700x4c000x00004cc3 <-[afcreationwindowcontroller sendringtonetoitunes:] + 108>: 0xf7890x15ff0x7020.x0001 this is clear, it is a 2-byte group of reverse storage, as shown in (GDB) set {unsigned char *} 0x000000000004a3 = 0x8b48000000c6840f (GDB) x/20 h 0x000000000004ca30x00004a3 <-[afcreationwindowcontroller sendringtonetoitunes:] + 76>: Signature <-[afcreationwindowcontroller sendringtonetoitunes:] + 92>: Signature <-[afcreatio Nwindowcontroller sendringtonetoitunes:] + 108>: 0xf7890x15ff0x7020.x0001 (GDB) Continue is correct now. You can continue to process more than 10 records. Not finished yet. I want to change the execution file, find the execution file, and open it with hexfiend as described in the previous blog. But how can I not find these values? Is it encrypted? I almost gave up, But it seems easier to find the 5005 In the backend. I found it was 50 05 first, but I couldn't find it, and I found it again, as shown in the figure. As mentioned above, a group of 2 bytes is stored in reverse order. Now we need to reverse the internal order of these 2 bytes again. Okay. Change 85 to 84, save the disk, and open it. Everything works .. The cracked ringtones won't be uploaded, and there is no space. If you are interested, ask me for it. Regular ad I email (MSN) AppleDotnet@hotmail.com