Intro

This post is about reversing.. but for a MACOS binary. Lets drive straight into it.

Modding in macOS is fairly new to me, but a binary is a binary and it can be modded!. I started to daily drive macOS a month or two ago, the why and what’s is a whole different story to post about.

Like I have said previously in my other re posts, “ I don’t trust mods from the internet” If I can mod it then its fine, otherwise I’m paying for it.

I just started to understand the quirks of “OS X”, Though some of my methods may be crude…it works, I will perfect them..

Target

So there is this great app for cleaning your Mac’s junk/storage files, but the free version only lets you clean 500mb daily.. the premium version is a whooping 3k per year…do you get where I am going with this ? …YES!…modding for fun and profit (PROFIT = personal use)

Tools

So I’m gonna be trying out ghidra “ The NSA’s reverse engineering tool “, mainly because Its a open source tool and I wanted to do some reverse engineering with it for a long time now.

make sure you have brew installed and then run the following command

brew install --cask ghidra

Making observation to the target

The app throws you with the “Nag Screen” whenever you use the app, it blocks the usage of features (can not use the app to remove more than 500MB of data,privacy scanning won’t work unless you pay,..etc).

  • 500mb storage limit reached ‘nag screen’

  • Trial period expired ‘nag screen’

Basics & Understanding Ghidra

All macOS apps have the following structure, the main binary will always be inside the MacOS directory.

Launch Ghidra and create a new project, then drag and drop the binary into the project.

Mac has this binary format “macobinary” - basically it contains the different target executables, ex: (arm binary vs the x86 binary).. mine is a x86 machine, will be modding that alone.

After the import, Ghidra will automatically ask you to analyse the target binary, choose Analyse. (it will make our life easier), based on the binary size and your cpu cores, it may take couple minutes.

Only focus on the following five windows, that is enough to get the job done.

  • 1 = will contain the symbol tabel, this is where we do most of the filtering.
  • 2 = shows the disassembly of the binary (assembly language), this is where we do the actual reversing, (i.e) patching, understanding logic, etc.
  • 3 = This is a great feature, shows the equivalent c code, to the selected assembly section.
  • 4 & 5 = shows the incoming and outgoing function calls, this will help us find interesting things about the binary, which then can be used for identifying logic and patching.

IF ANY OF THE ABOVE WINDOWS ARE NOT OPEN, YOU CAN ENABLE THEM THROUGH THE MENU OPTION “WINDOW”.

Analysis

It will take some time to find what you are looking for, but I have already invested time in this, so what we need is “activationManager” class, it has all sorts of interesting functions like “activationStatus, isAppActivated..etc”. Looking for references, it is used throughout the app, so lets change it.

Looking around, we find the different status codes inside “activationStatus”.

By checking other functions, it becomes obvious that, changing only “isAppActivated” function is enough. The return type of the function is “char”, with reference to “status” from above..we should return “3”. From the ascii table, “0x33” is the equivalnet for “3”.

Patching the “isAppActivated” function, with the following code.

push   rbp
mov    rbp,rsp
mov    DWORD PTR [rbp-0x4],0x0
mov    eax,0x33
pop    rbp
ret

then export the program “File -> Export Program”, our patched binary is ready. Now give executable permission and move it to the original directory.

rename the original

Signing & Running the modded binary for PROFIT

Unlike windows and linux, macOS won’t run applications without signing the binary.. but we can generate your own certificates for personal use (dont have to buy a developer account for 99$/year).

create a certificate using “keychain Access”

choose “code signing” in “certificate type”

Go to the application root “/Application/” to resign the entire app.

sudo codesign -s "<name-of-certificate>" -fv CleanMyMac-MAS.app/

Run the app… Now its been modded and I don’t have to pay 3k INR a year or worry about untrusted binaries from the internet.

You can see from the image, all the premium features are now unlocked & we can also remove the junk files exceeding 500MB.

End

This was a fun excerise to dig around. Macos is not that limited as I thought it was… Sure it has its quirks.