However, I do not believe that obscurity and ignoring the problem is an acceptable solution. Well, not you specifically, but by you I mean the average Mac developer. It's too easy to crack Mac apps. Way too easy. By walking through how I can hack your app with only one Terminal shell, I hope to shed some light on how this is most commonly done, and hopefully convince you to protect yourself against me. I'll be ending this article with some tips to prevent this kind of hack. In order to follow along you're going to need a few command line utilities. You're going to need the Xcode tools installed.

And, lastly, you're going to need an app to operate on. I chose Exces , a shareware App I wrote a long time ago. Let's start by making sure we have the two utilities we need: otx and class-dump. I like to use Homebrew as my package manager of choice. Note that I will use command line utilities only, including vim. The first step is to poke into the target app's headers, gentlemanly left intact by the unwitting developer.

What do we have here?! A badly spelt variable and what looks like three methods related to registration. We can now focus our efforts around these symbols.

Let's continue poking by disassembling the source code for these methods. Note that Exces is a universal binary, and that we need to ensure we only deal with the active architecture. In this case, Intel's i Let us find out what verifyLicenseFile: does. This is not straight Objective-C code, but rather assembly-what C compiles into.

With this in mind, we can realize that verifyLicenseFile: calls the method verifyPath: and later sets the boolean instance variable registred. We can guess that verifyPath: is probably the method that checks the validity of a license file. We can see from the header that verifyPath: returns an object and thus would be way too complex to patch.

We need something that deals in booleans. No bite. The breakpoint is not hit on startup. We can assume that there's a good reason why verifyLicenseFile: and verifyPath: are two separate methods. While we could patch verifyLicenseFile: to always set registred to true, verifyLicenseFile: is probably called only to check license files entered by the user.

Quit gdb and let's instead search for another piece of code that calls verifyPath:. In the otx dump, find the following in awakeFromNib:. Since awakeFromNib is executed at launch, we can safely assume that if we override this check, we can fool the app into thinking it's registered. The easiest way to do that is to change the je into a jne, essentially reversing its meaning.

If we simply switch the binary code for the je to , at address c9c, we should have our crack. Let's test it out in gdb. We break on awakeFromNib so we're able to fiddle around while the app is frozen. Now here's the confusing thing to be aware of: endianness.


While on disk, the binary code is normal, intel is a little-endian system which puts the most significant byte last, and thus reverses every four-byte block in memory. We recognize the first two bytes from earlier. We need to switch the first two bytes to Let's start by disassembling the method so we can better see our way around.

Find the relevant statement:. Here we set the first byte at 0xc9c. By simply counting in hexadecimal, we know that the next byte goes at address 0xc9d, and set it as such. Just move the app file to your Mac — No activation needed.

