Cracking the Perl

This evaded me for a week, truly frustrating. The single-script line of Perl code in question:

$ perl -pi -e 's/\x77\x39\x07\x0F\x1F\x44\x00\x00\x55/\x77\x39\x07\x0F\x1F\x44\x00\x00\xC3/g' /Applications/{Application.app}/Contents/MacOS/Resolve

Ingredients: RegEx

Looks like it's patching the file by replacing that sequence of bytes with another:

0x77 0x39 0x07 0x0F 0x1F 0x44 0x00 0x00 0x55 

replaces

0x77 0x39 0x07 0x0F 0x1F 0x44 0x00 0x00 0xC3.

Probably the first few bytes there are an identifier and the last byte is a boolean for "are you an unlocked copy of the app?"

Direction: Disassembly

Most likely it patches the object code, not data (decoding it in 32-bit mode, not 16):

$ ndisasm -b 32 -i  <(perl -e'print "\x77\x39\x07\x0F\x1F\x44\x00\x00\x55"')
00000000  7739              ja 0x3b
00000002  07                pop es
00000003  0F1F440000        nop dword [eax+eax+0x0]
00000008  55                push ebp

$ ndisasm -b 32 -i  <(perl -e'print "\x77\x39\x07\x0F\x1F\x44\x00\x00\xC3"')
00000000  7739              ja 0x3b
00000002  07                pop es
00000003  0F1F440000        nop dword [eax+eax+0x0]
00000008  C3                ret

And actually the beginning of it is still probably garbage (either not starting on an instruction boundary or trying to decode data), but the last byte holds the clue. push ebp is commonly seen as the first instruction of a function (setting up the frame pointer). It's being replaced by ret. So whatever function starts at that byte is being totally bypassed. Everything before that is just providing context bytes so that the right function is patched.

Nutrition: Jargon

  1. JA is "jump if above", i.e., transfer/branch/GOTO if greater than.

  2. DB 0 is a literal byte, not sure what that does in this context.

  3. ndisasm command generates a disassembly listing of the binary file infile and directs it to stdout.

  4. Then we have either a push-to-stack of the stack pointer, or, in the crack, an add of register A to register B.

Non Technical TL;DR: Probably need to know what comes after the patched code to know the effect. It might really be just that the limited version lacks add, while the paid version does the add. Or, sometimes cracks resort to doing weird things to break the "am I paid for?" code in just the right way.