Archive for October 2009
Another fun “crack” working on the latest version (1.8.0). This one works by giving you an infinite number of “trial” zaps.
I ran through the usual process of dumping the binary with otool and grepping for interesting lines. I ended up finding a couple interesting methods, the first of which is titled -(void)[AZPreferencesController showNag:]. Within that method is a call to -(BOOL)[AZRegistrationController validateExistingRegistrationInformation]. nop’ing out that call prevented the registration nag dialog from showing when launching, but did not allow any extra functionality- I left it in anyway. To do this, open up the AppZapper excutable in your favorite hex editor and skip to offset 0x3bb1b. All you have to do is replace the opcodes for the method call (e883450100) with nops (9090909090). A nop (opcode 90) basically just means “do nothing” in assembly.
The next interesting method I came across was titled -(void)[AZAppController _finishProcessingApps:]. Sounds boring- I know- but it contains an important call to the method -(BOOL)[AZRegistrationController canZap]. This is the method that determines whether or not the application is allowed to zap. All I had to do was nop out the jel immediately after this call, and the app would allow me to zap indefinitely beyond “0 trial zaps remaining” (I think I’m at -17 now). All you have to do is nop out 0f848d010000 with the good ol’ 909090909090 at offset 0x35527.
NOTE: This only works on x86-32. If you aren’t running an Intel chip, buy a new computer already.
The “crack” here is pretty simple and appears to still work on the latest version of the app (2.0.6), though the offset has changed throughout the versions. After dumping the app with otool and grepping my way through the file, I stumbled upon quite a few interesting methods. The most important of which is +(BOOL)[LicenseController isTrial]. Within this method is a je instruction at offset 0x114ab. Changing this je (jump if equal) to a jne (jump if not equal) tricks the app into doing the opposite of what it should in detecting whether or not we are running a trial. If you have a valid license (I now do), it will kick you out; if you do not have a valid license, you can enjoy your “registered” copy! All that you need to do is fire up your favorite hex editor and change 0x114ab from 74 (opcode for je) to 75 (jne).
NOTE: This only works on x86-32. If you aren’t running an Intel chip, buy a new computer already.
