A little disassembler for MPress packer…

July 23, 2009 in Tools | 7 comments

Since otool and otx can’t disassemble the packed binary, Andreas Gumundsson wrote a quick tool to do that job, using Udis86, a disassembler library for x86 and AMD64. Check the source to see the required compiler options.

Example usage:

$ ./disas -f mmpress.i386 -t macho | head -10
Found entrypoint inmemory address 0xd6b0
NCMDS 2
CMD 1
Looking in __MPRESS__v.1.21
Found entrypoint file offset 0x36b0
sub ebx, ebx
mov edi, ebx
call 0xd6b9
pop eax
add eax, 0x27c

Original source available here, and a local copy here.

By the way, Blackhat USA and DEFCON will have a few OS X related presentations ! Good luck to Ghalen on his presentation about Runtime kernel patching (I started exploring this subject but since I’m a lame ass coder I couldn’t finish it hehehehe! Glad he did it so I can try to implement some ideas I had).

fG!

  1. navaja’s avatar

    navaja on May 13, 2010 at 11:09 pm

    Hi. I was going through your “Dumping MPress packed binaries” article.

    Towards the end I get an error when trying to use vmmap…

    [QUOTE:]
    That jump at 0xa09a is very suspicious…If you follow it you will land at this address 0x8fe01010 (might be different for you).
    Using again vmmap to understand to what corresponds this address we get:
    (…)
    __TEXT 8fe00000-8fe2e000 [ 184K/ 184K] r-x/rwx SM=COW /usr/lib/dyld
    (…)
    [/QUOTE]

    Instead of finding out the region that address corresponds to, I get the following error:

    [QUOTE]
    Terminating app due to uncaught exception ‘VMUDyld fatal error’, reason: ‘Attempt to get _dyld_all_image_infos failed’
    [/QUOTE]

    Do you have any idea what going on? Do you see this error msg often when using vmmap?

    I am using Mac OS X 10.6.3.

    Reply

    1. fG!’s avatar

      fG! on May 14, 2010 at 12:49 am

      Hello,

      I have never seen that error. Either something was changed with Snow Leopard 10.6.3 or MPress has a new version.
      Can you tell me what is the target so I can give it a look?

      Thx!
      fG!

      Reply

      1. navaja’s avatar

        navaja on May 14, 2010 at 5:42 pm

        The mpress version hasn’t changed (v1.21). The target was mpress. However I get the same error with other targets.

        Reply

        1. fG!’s avatar

          fG! on May 17, 2010 at 10:49 pm

          Yes I went and checked mpress and it’s still the same version… I will test it out in my system and see if the same thing is happening.
          Could be something that changed in Snow Leopard that’s killing it.

          Reply

        2. fG!’s avatar

          fG! on May 19, 2010 at 12:05 am

          I gave a quick check yesterday and it seems to work without any problems in my Snow Leopard 10.6.3.
          I will do a complete test with a new binary this weekend and I will tell you about my results. You got me curious on this one!

          Reply

        3. fG!’s avatar

          fG! on May 23, 2010 at 12:19 am

          I just verified everything and you are correct. When you try to vmmap inside the linker code it crashes with the same problem.
          Seems like a bug or something was changed with Snow Leopard… Have to investigate it further!

          Reply

  2. B:.’s avatar

    B:. on July 26, 2010 at 9:40 pm

    Anyone found anything useful about this vmmap exception?

    Reply