Reverse Engineering: Getting rid of “XtraFinder Beta has expired!” nag alert
by admin on Dec.14, 2014, under MAC OS X, ReverseEngineering
If you ever were forced to update (or stop using) XtraFinder due to said error message (Xtra Finder Beta has expired) rest assured – I got an easy solution for you that comes with this tiny reverse engineering tutorial.
Target version: XtraFinder v0.25
Used tools: Hopper Disassembler v3.5.9
First off, load the target file into Hopper. The file is located at /Library/ScriptingAdditions/XtraFinder.osax/Contents/MacOS/XtraFinder
After loading it, the first thing you’d like to do is to search e.g. the title of the error message.
 |
The search will return one result, click on it and it will bring you to the location in the file it is stored in.
 |
Hit X on your keyboard and Hopper will show you the cross references to this specific text. Since there’s only one result you can double click on it and it will bring you there.
Make sure to click on XREF so it gets highlighted:
 |
Repeat the same step again (press X to find cross references).
 |
So yeah we basically reach the code that is using the string we no longer want to see. Taking a look at the code indicates there’s a method called forceCheckForUpdates:
 |
Mark the very first line in this procedure:
 |
and try to search for XREF‘s to this offset:
 |
Dang! No results. However, since this is a function (and functions usually get called), we can repeat the search for places referencing this Objective-C method (SHIFT + ALT + X).
 |
 |
So we basically just found the check determining whether or not to show the nag screen. JNE is an assembly instruction meaning JUMP IF NOT EQUAL. So if the comparison before that JNE turns out to be not equal, it won’t show the nag screen. We won’t even bother much analyzing the code behind, since we may simply patch the JNE with JMP (always jump). You can find an option to do so in the main menu >> Scripts >> JE > JMP :
 |
Save your changes via File -> Produce New Executable and replace the old binary file with your modified one. Reboot your Mac and you’ll see the application works without forcing you to update. 😀
Update: November 19, 2016:
As stated by various users through the comments and emails, recent versions of XtraFinder will crash now if not signed properly. When saving the executable in Hopper Disassembler do choose not to remove the code signature when saving the file:
 |
Otherwise it will compute the executable’s __LINKEDIT segment size incorrectly and “codesign” will refuse to sign the file later.
Instead, use a proper macho editor such as this one. If you’re feeling lazy and don’t want to compile it on your own, you may fetch the precompiled binary here: macho_edit.zip
Use it like this with the patched binary you created with Hopper Disassembler earlier:
./macho_edit XtraFinder
Type “2” in order to “Load command edit” and then “5” in order to “Remove code signature”. Afterwards type “6” to “Cancel” and “3” to “Exit”. Voila – the code signature was properly removed.
Now you’ll have to resign it using a valid code signing certificate. You can create one on your own using OpenSSL or you might as well simply use this fake code signing certificate valid for 10 years (double click on the file in order to import it into your keychain, the password is 1234): betamaster_codesigning.zip
After creating/importing the certificate, sign your modified binary like this:
sudo codesign -s "BetaMaster" XtraFinder
After rebooting, your patched XtraFinder will start up. Alternatively you may also restart Finder (CMD + ALT + ESC).
If you weren’t able to follow the steps above, you may also want to download the patched binary here (you might have to import the certificate above first, since macOS otherwise won’t know the certificate the application was signed with): xtrafinder_0_25_9_patched.zip. You’re welcome. 😉
18 Comments for this entry
Leave a Reply
-
Welcome
This blog was designed to be filled with articles related to some of our more recent projects, macOS and linux guides (particularly Debian), coding and plenty of other topics.
Navigator:
November 1st, 2015 on 13:34
Thank you so much!
Since a week i wanted to throw my macbook out of the window after startup, but now it is fixed. 🙂
Info: OSX 10.10, XtraFinder 0.25.5
November 2nd, 2015 on 14:44
Doesn’t work wit 0.25.5
maybe you skipped some steps, like you did with the “go to modify/Assemble instruction”, and eventually when you’ve been prompted with the yes or no after “Produce New Executable”. (I chosed NO)
when you import the file into Hopper it asks you some things that you don’t tell here… I’ve done it default.
Thank you!
November 2nd, 2015 on 16:40
sorry, it works…
🙂
When I chose Yes at the final save dialog stage, I never saw the saved item… dunno why… finally I made it.
Thanks a lot!
January 7th, 2016 on 07:12
I have successfully patched XtraFinder 0.25.3 running on 10.6.8. I have always wanted to mess around in assembly language. Thanks for showing us how!
August 2nd, 2016 on 20:28
Dear betamaster,
thanks for the findings and the manual. I am failing, though 🙁 It would be so awesome if you uploaded a zip or dmg of the modded binary (or even full app) and shared the link?
Thank you,
Bugs
August 3rd, 2016 on 04:47
Very nice tutorial, thanks a lot 🙂
August 3rd, 2016 on 09:23
Very helpful your code.However how can i edit on Hooper soft edit : “jne” to write “jump”.
How can i do that ?
Thanks
August 3rd, 2016 on 20:58
hmm, does not work any more. 25.8 .. all looked exactly as you told, but at save, hopper warns that this is a signed binary, thus it does not work I guess
August 4th, 2016 on 06:59
Hi there.
I went to the final step but the problem is that I don’t know how to replace JNE with JMP code.
It would be precious to illuminate me on this.
Thanks.
August 4th, 2016 on 19:00
Any chance you could upload the patched binary or make a patch? (I don’t have hopper or even know how to use it)
thanks
August 4th, 2016 on 20:01
Hi,
I did it, but I’m in trouble with saving new executable. What can I do with the file signature?
The size of file has changed therefore the old signature is invalid. I can remove or leave it unchanged, but neither way works for me.
I think this is the only problem, all of the previous step was clear.
Thanx,
ArrayOfLilly
August 6th, 2016 on 09:53
Hello,
thanks very much for instructions.
I managed to carry out all steps as described, finding all the relevant text. Only some accompanying numbers here and there were a bit different to those shown in your pictures (you see, I’m not an expert).
When it comes to saving the result, I get a warning about the signature.
I tried both: Saving without signature, and saving with the old (presumably now invalid) signature.
None of these would eventually work.
I read somewhere a comment (which actually led me to your instruction), where someone seemed to have the same problem. He wrote, he couldn’t manage to sign the file and thus failed in fixing the nag message.
Can you please help with any further suggestion?
Is there a way I can produce a valid signature?
It would be very kind of you to let me hear from you.
Best regards
Marc
August 10th, 2016 on 15:00
Hi, really appreciate the reverse engineering for XtraFinder. It worked on OSX 10.8.5 Mountain Lion, but can’t seem to get it to work in el Capitan using the same instructions. When I replace the executable XtraFinder won’t launch (seems to crash at launch). Any suggestions? Much appreciated.
August 11th, 2016 on 17:38
Here is the answer for my previous question:
http://www.insanelymac.com/forum/topic/313846-xtrafinder-0258-latest-build-dec-2015-say-beta-has-expired/
August 13th, 2016 on 06:02
Hallo there,
is it possible to describe your howto with more details?
I tried your howto with the latest version. But it doesen’t work. After your steps xtrafinder doesen’t start.
Please help
thx
August 15th, 2016 on 00:51
You don’t know how long I’ve been trying to get rid of this XtraFinder update. Thank God after endless searching that I found this site and downloaded the Hopper app. Thanx again!
November 19th, 2016 on 22:16
Hi mate, sorry for the late follow up regarding the XtraFinder reverse engineering tutorial, I’ve been kinda busy moving to another country. I updated the instructions in order to work with the newest version.
September 6th, 2017 on 01:10
Thanks a lot!
Disassembling would be a bit too much for me 😉 but using your modified binary file I’ve been able to patch my XtraFinder and got rid of the annoying Beta msg.
Having a modified binary file for XtraFinder v. 0.26 (latest version) would be perfect, but v. 0.25.9 is probably quite similar.
Anyway, very good job mate, thanks again!