I do not know nothing of cracking/ reverse engine or wherever ... only know a bit of ruby/perl/c++
I am following this guide to hack a mac app:
http://www.mrspeaker.net/2011/01/06/mac-hacking/
And found out the name of the function that checks the firmware version:
_ZN14MsvApplication12VersionCheckERK9XpStringTIcE
I am stuck because i do not know nothing of assemply but look what I did so far:
Code: Select all
ricardos-MacBook:crack ricardo$ gdb /Applications/CMA.app/Contents/MacOS/CMA
(gdb) break _ZN14MsvApplication12VersionCheckERK9XpStringTIcE
Breakpoint 1 at 0x3d637
(gdb) r
Starting program: /Applications/CMA.app/Contents/MacOS/CMA
Reading symbols for shared libraries +++++++++++............................................................................................................................. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries ................................................. done
Reading symbols for shared libraries .. done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
Reading symbols for shared libraries . done
[Switching to process 63790 thread 0x8803]
Breakpoint 1, 0x0003d637 in MsvApplication::VersionCheck ()
(gdb) disas
Dump of assembler code for function _ZN14MsvApplication12VersionCheckERK9XpStringTIcE:
0x0003d628 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+0>: push %ebp
0x0003d629 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+1>: mov %esp,%ebp
0x0003d62b <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+3>: sub $0x58,%esp
0x0003d62e <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+6>: mov %ebx,-0xc(%ebp)
0x0003d631 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+9>: mov %esi,-0x8(%ebp)
0x0003d634 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+12>: mov %edi,-0x4(%ebp)
0x0003d637 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+15>: mov 0x8(%ebp),%edi
0x0003d63a <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+18>: lea -0x20(%ebp),%edx
0x0003d63d <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+21>: mov 0xc(%edi),%eax
0x0003d640 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+24>: mov %eax,0x4(%esp)
0x0003d644 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+28>: mov %edx,(%esp)
0x0003d647 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+31>: call 0x3ed8c <_ZNK14MsvBrowserCore11GetVitaInfoEv>
0x0003d64c <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+36>: sub $0x4,%esp
0x0003d64f <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+39>: mov -0x20(%ebp),%eax
0x0003d652 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+42>: test %eax,%eax
0x0003d654 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+44>: je 0x3d6dc <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+180>
0x0003d65a <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+50>: lea -0x28(%ebp),%ebx
0x0003d65d <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+53>: mov %eax,0x4(%esp)
0x0003d661 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+57>: mov %ebx,(%esp)
0x0003d664 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+60>: call 0x270eea <dyld_stub__ZNK11MsvVitaInfo18GetProtocolVersionEv>
0x0003d669 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+65>: sub $0x4,%esp
0x0003d66c <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+68>: mov %ebx,0x8(%esp)
0x0003d670 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+72>: mov 0xc(%ebp),%eax
0x0003d673 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+75>: mov %eax,0x4(%esp)
0x0003d677 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+79>: lea -0x3c(%ebp),%esi
0x0003d67a <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+82>: mov %esi,(%esp)
0x0003d67d <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+85>: call 0x7cec0 <_ZN29MsvEventArgsLaunchAutoUpdaterC1ERK9XpStringTIcES3_>
0x0003d682 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+90>: jmp 0x3d690 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+104>
0x0003d684 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+92>: mov %eax,%edi
0x0003d686 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+94>: mov %ebx,(%esp)
0x0003d689 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+97>: call 0xe640 <_ZN9XpStringTIcED1Ev>
0x0003d68e <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+102>: jmp 0x3d6c9 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+161>
0x0003d690 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+104>: mov %ebx,(%esp)
0x0003d693 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+107>: call 0xe640 <_ZN9XpStringTIcED1Ev>
0x0003d698 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+112>: mov 0x2c(%edi),%eax
0x0003d69b <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+115>: mov (%eax),%edx
0x0003d69d <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+117>: mov %esi,0x8(%esp)
0x0003d6a1 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+121>: movl $0x4,0x4(%esp)
0x0003d6a9 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+129>: mov %eax,(%esp)
0x0003d6ac <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+132>: call *0x10(%edx)
0x0003d6af <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+135>: jmp 0x3d6bd <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+149>
0x0003d6b1 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+137>: mov %eax,%edi
0x0003d6b3 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+139>: mov %esi,(%esp)
0x0003d6b6 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+142>: call 0x7ce3c <_ZN29MsvEventArgsLaunchAutoUpdaterD1Ev>
0x0003d6bb <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+147>: jmp 0x3d6c9 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+161>
0x0003d6bd <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+149>: mov %esi,(%esp)
0x0003d6c0 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+152>: call 0x7ce3c <_ZN29MsvEventArgsLaunchAutoUpdaterD1Ev>
0x0003d6c5 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+157>: jmp 0x3d6dc <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+180>
0x0003d6c7 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+159>: mov %eax,%edi
0x0003d6c9 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+161>: mov -0x1c(%ebp),%eax
0x0003d6cc <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+164>: mov (%eax),%edx
0x0003d6ce <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+166>: mov %eax,(%esp)
0x0003d6d1 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+169>: call *0x8(%edx)
0x0003d6d4 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+172>: mov %edi,(%esp)
0x0003d6d7 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+175>: call 0x26ee14 <dyld_stub__Unwind_Resume>
0x0003d6dc <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+180>: mov -0x1c(%ebp),%eax
0x0003d6df <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+183>: mov (%eax),%edx
0x0003d6e1 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+185>: mov %eax,(%esp)
0x0003d6e4 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+188>: call *0x8(%edx)
0x0003d6e7 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+191>: xor %eax,%eax
0x0003d6e9 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+193>: mov -0xc(%ebp),%ebx
0x0003d6ec <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+196>: mov -0x8(%ebp),%esi
0x0003d6ef <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+199>: mov -0x4(%ebp),%edi
0x0003d6f2 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+202>: leave
0x0003d6f3 <_ZN14MsvApplication12VersionCheckERK9XpStringTIcE+203>: ret
End of assembler dump.
(gdb) info registers
eax 0x66b0f0 6729968
ecx 0x3bf48 245576
edx 0xb0523e60 -1336787360
ebx 0xb0523dec -1336787476
esp 0xb0523d10 0xb0523d10
ebp 0xb0523d68 0xb0523d68
esi 0x0 0
edi 0xb0523e04 -1336787452
eip 0x3d637 0x3d637 <MsvApplication::VersionCheck(XpStringT<char> const&)+15>
eflags 0x282 642
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x23 35
gs 0xf 15
(gdb) ni
0x0003d63a in MsvApplication::VersionCheck ()
(gdb) info registers
eax 0x66b0f0 6729968
ecx 0x3bf48 245576
edx 0xb0523e60 -1336787360
ebx 0xb0523dec -1336787476
esp 0xb0523d10 0xb0523d10
ebp 0xb0523d68 0xb0523d68
esi 0x0 0
edi 0x66b0f0 6729968
eip 0x3d63a 0x3d63a <MsvApplication::VersionCheck(XpStringT<char> const&)+18>
eflags 0x282 642
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x23 35
gs 0xf 15
(gdb)
also there is this function:
_ZNK14MsvBrowserCore11GetVitaInfoEv
For me it is a lot of nothing but maybe some dev could find it useful.
My idea is to use gdb and set the some variable to 2.05 like the guy from the guide set the variable set $eax=1.
I would like to make the function VersionCheck always return 2.05