最新版 Reveal 消除购买框
reveal 消除
查询 expire 得到 IBATrialModeReminderWindowController.h 去掉这个类就行了
__text:0000000100079D05 call cs:_objc_retain_ptr
__text:0000000100079D0B mov rbx, rax
__text:0000000100079D0E mov rsi, cs:selRef_shouldShowTrialModeSheet
__text:0000000100079D15 mov rdi, r14
__text:0000000100079D18 call cs:_objc_msgSend_ptr
__text:0000000100079D1E test al, al
__text:0000000100079D20 jz short loc_100079D3A ->jnz !!!!!!!!!!!!!
__text:0000000100079D22 mov rsi, cs:selRef_showTrialModeSheetForWindow_canDelayContinue_
__text:0000000100079D29 mov ecx, 1
__text:0000000100079D2E mov rdi, r14
__text:0000000100079D31 mov rdx, rbx
__text:0000000100079D34 call cs:_objc_msgSend_ptr
__text:0000000100079D3A
__text:0000000100079D3A loc_100079D3A: ; CODE XREF: -[IBATrialModeReminderPresenter presentTrialModeReminderIfNecessaryForWindow:]+28j
__text:0000000100079D3A mov rdi, rbx
__text:0000000100079D3D pop rbx
__text:0000000100079D3E pop r14
__text:0000000100079D40 pop rbp
__text:0000000100079D41 jmp cs:_objc_release_ptr
__text:000000010008F192 call r13 ; _objc_release
__text:000000010008F195 mov rdi, r12
__text:000000010008F198 call r13 ; _objc_release
__text:000000010008F19B test r14b, r14b
__text:000000010008F19E jz short loc_10008F1A9
__text:000000010008F1A0 test r15b, r15b
__text:000000010008F1A3 jnz loc_10008F422 -> 0040DF7C > /E9 7A020000 jmp QQProtec.0040E1FB
0040DF81 |90 nop
有校验 搜索 校验 verify 得到 IBAAppDelegate.h
@interface IBAAppDelegate : NSObject
{}
- (void)verifyCodeSignature;
看到这里去掉
__text:000000010008F1A3 jnz loc_10008F422 -》 jz !!!!!!!!!
__text:000000010008F1A9
__text:000000010008F1A9 loc_10008F1A9: ; CODE XREF: -[IBAAppDelegate verifyCodeSignature]+7Fj
__text:000000010008F1A9 mov rax, cs:classRef_NSAlert
__text:000000010008F1B0 mov [rbp+var_40], rax
__text:000000010008F1B4 mov rdi, cs:classRef_NSBundle
__text:000000010008F1BB mov rsi, cs:selRef_mainBundle
__text:000000010008F1C2 mov rbx, cs:_objc_msgSend_ptr
__text:000000010008F1C9 call rbx ; _objc_msgSend
__text:000000010008F1CB mov rdi, rax
__text:000000010008F1CE call _objc_retainAutoreleasedReturnValue
__text:000000010008F1D3 mov [rbp+var_38], rax
__text:000000010008F1D7 mov rsi, cs:selRef_localizedStringForKey_value_table_
__text:000000010008F1DE lea rdx, cfstr_ThisCopyOfReve ; "This copy of Reveal is damaged"
__text:000000010008F1E5 lea r13, stru_100183D08
__text:000000010008F1EC xor r8d, r8d
__text:000000010008F1EF mov rdi, rax
__text:000000010008F1F2 mov rcx, r13
__text:000000010008F1F5 call rbx ; _objc_msgSend
可以不弹框了 但还会显示 trial 字符串
搜索 trial 搜索到IBATrialModeReminderTitleBarAccessoryView.h 看到就知道可能是 一个 bar 控件继续搜索
搜索 __IBATrialModeReminderTitleBarAccessoryView_initWithFrame__ 到结尾 看 lldb 调试 finish
出来看到
000000010001FE24 test al, al
__text:000000010001FE26 jz short loc_10001FE6D -> jnz 即可不显示字符串了
__text:000000010001FE28 mov rsi, cs:selRef_ibaWindow
__text:000000010001FE2F mov r14, cs:_objc_msgSend_ptr
__text:000000010001FE36 mov rdi, r15
__text:000000010001FE39 call r14 ; _objc_msgSend
__text:000000010001FE3C mov rdi, rax
__text:000000010001FE3F call _objc_retainAutoreleasedReturnValue
__text:000000010001FE44 mov rbx, rax
__text:000000010001FE47 mov rsi, cs:selRef_setTitleBarAccessoryView_
__text:000000010001FE4E xor edx, edx
__text:000000010001FE50 mov rdi, rbx
__text:000000010001FE53 call r14 ; _objc_msgSend
__text:000000010001FE56 mov rdi, rbx
__text:000000010001FE59 add rsp, 8
__text:000000010001FE5D pop rbx
__text:000000010001FE5E pop r12
__text:000000010001FE60 pop r13
__text:000000010001FE62 pop r14
__text:000000010001FE64 pop r15
__text:000000010001FE66 pop rbp
__text:000000010001FE67 jmp cs:_objc_release_ptr
__text:000000010001FE6D ; ---------------------------------------------------------------------------
__text:000000010001FE6D
__text:000000010001FE6D loc_10001FE6D: ; CODE XREF: -[IBAMainWindowController configureTitleBarAccessoryView]+18j
__text:000000010001FE6D mov rdi, cs:classRef_IBATrialModeReminderTitleBarAccessoryView
__text:000000010001FE74 mov rsi, cs:selRef_alloc
__text:000000010001FE7B mov r12, cs:_objc_msgSend_ptr
__text:000000010001FE82 call r12 ; _objc_msgSend
__text:000000010001FE85 mov rsi, cs:selRef_init
__text:000000010001FE8C mov rdi, rax
__text:000000010001FE8F call r12 ; _objc_msgSend ; !!!!这里是finish 完后到达的地址 !!!!!!!!!!!!!!!!!
__text:000000010001FE92 mov r14, rax
__text:000000010001FE95 mov rsi, cs:selRef_button
__text:000000010001FE9C mov rdi, r14
__text:000000010001FE9F call r12 ; _objc_msgSend
__text:000000010001FEA2 mov rdi, rax
__text:000000010001FEA5 call _objc_retainAutoreleasedReturnValue
__text:000000010001FEAA mov rbx, rax
__text:000000010001FEAD mov rax, cs:_OBJC_IVAR_$_IBAMainWindowController__trialModeReminderPresenter ; IBATrialModeReminderPresenter *_trialModeReminderPresenter;
__text:000000010001FEB4 mov rdx, [r15+rax]
__text:000000010001FEB8 mov rsi, cs:selRef_setTarget_
__text:000000010001FEBF mov rdi, rbx
__text:000000010001FEC2 call r12 ; _objc_msgSend
__text:000000010001FEC5 mov r13, cs:_objc_release_ptr
__text:000000010001FECC mov rdi, rbx
__text:000000010001FECF call r13 ; _objc_release
__text:000000010001FED2 mov rsi, cs:selRef_button
调试过程中用到 hex edit pro OD 去看汇编指令等