Here it is, another example of my super l33t lame coding skills ! This wonder code will decrypt an Apple crypted binary via memory dumping. Maybe direct decryption (based on Amit Singh code) would be easier and nicer, but I wanted to do it this way as a test and an exercise. The code has a lot of comments that should help you understand what is being done.
Basically the trick is to load the binary and attach ptrace to it, and then dump using mach vm_read function. Mach-o header needs to be processed to find what to dump ! There is no problem with ptrace anti-debugging because PT_TRACE_ME stops the program before any instruction is executed and in that stage the program is already decrypted (way to go Apple!). I had to use ptrace because I couldn’t find a way to have Mach task_suspend to do the same job. If you know how, please tell me 
My first version attached to a selected PID but this one is much nicer. I will clean the code for that version and add it later.
And that’s it ! This is more an exercise for future dumpers although there is some software using this “protection” (hint: Linkinus). If you want to play with it, you can use Amit Singh’s cryptor that is linked in the previous post.
If you find any bugs or have any improvement feel free to leave a comment or mail me. You are welcome
I have no idea if it’s working with PPC code. It should but I only have i386.
Have fun!
fG!
And now the tool: dumpme_ptrace.c (SHA1(dumpme_ptrace.c)= 36231d436b0fd09c68fd729ccd34fcec887700a9)
Update:
Here it is the PID version and a slightly improved ptrace version (more checks and a openssl style for input/output files).
dumpme_ptracev1.1.c SHA1(dumpme_ptracev1.1.c)= 7e441d9277e00f1c6570001305921820a4985468
dumpme.c SHA1(dumpme.c)= f3d353f532219efcfcfa87affb3b8474d7ff7e66
Update 2:
Minor fixes. Per Jez suggestion (thanks!), vm_read dynamically allocates an array of bytes (next time I must RTFM!) and vm_deallocate should be used after we don’t need those bytes.
Nothing like learning how to do things correctly
dumpme_ptracev1.2.c SHA1(dumpme_ptracev1.2.c)= a7d35cf7ff8705b1da91c36aa9309a66079c0d91
dumpmev1.1.c SHA1(dumpmev1.1.c)= e1aba84eeae70663dc3580165d867e96c0770254
-
Great jobs !!!
Have you been tested with syncrosoft protected app ???
-
Hello,
This dumper is specific for apple crypted binaries (the ones refered in the previous article links). Syncrosoft should be totally different because you can’t have a single dump, but multiple dumps.
It’s more an exercise than anything else. The next one is to dump objective-c binaries, which need some fixing before they are able to run.fG!
-
-
or try to decrypt the securom loader of the sims 2 fox example
-
Hallo fG,
i just want to thank you for this blog. The information you provide were a big help for me, as I’m just a beginner (and no native english writer btw :>).
OT: It’s a pity, that there are no crackmes available for osx – this would be a very intresting project. I would love to write some simple ones, but I’m unfortunatly not yet experienced enough for the tough stuff.
Keep up the good work!Regards,
hansp.s.: I was to lazy to write a mail, so I missused the possibility to comment – sorry for that.
-
Hello,
http://www.macserialjunkie.com/ just had a cracking contest with 5 crackmes (easy ones). You can go there and grab them. I will one of these days pack them and post here, maybe with tutorials for each one.
No problems with the comments, site is open to everything hehehe
Take care,
fG!
-
5 comments
Comments feed for this article
Trackback link: http://reverse.put.as/2009/07/08/a-memory-dumper-for-apple-crypted-binaries-hurray/trackback/