Articles by fG!

You are currently browsing fG!’s articles.

A Mac OS X port of Phrack’s CheckIDT util by kad, or another way to retrieve sysent address

January 10, 2012 in Tools | No comments

This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard.
I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside.
The concept to retrieve sysent is the following:

get idt -> get location of interrupt 0×80 -> get address of LO_UNIX_SCALL -> get address of unix_syscall -> get location of sysent

Some of the information that the original code retrieves in Linux is meaningless in OS X. Maybe one of these days I will do a major cleanup. If you do it first feel free to send it. The 64bits code state is unknown and untested – my machines do not run 64bits kernels :-/.

Enjoy,
fG!

checkidtv1.2.c.gz
SHA256(checkidtv1.2.c.gz)= fe663c83c81c0db11e661f3bf2596a323dcc1df342941067c804eda94a5086c3

Gdbinit v7.4.4 – the skip command

January 10, 2012 in Tools | 4 comments

Here is a small update to gdbinit with a new command, “skip”.
This command will skip over the current instruction, without executing it. Usually I do it manually by set $pc=newvalue but this involves copy&paste and mouse movements and gets boring after a while. It’s great to skip over calls while you are trying some stuff and analysing some program behavior.
By default it will not execute the command at the new address. You can change this by modifying the configuration variable on top of gdbinit.

This command uses a little hack that Hopper’s author told me – the $_ variable will hold the last address, so we can disassemble 2 lines and compute the difference to retrieve the instruction size. Gdb has no command to retrieve the instruction size at a given address.
I did some (incomplete) work to add a new command for this. Being an economist, I can’t avoid this dilemma – to invest or not (more) time into gdb. Gdb source is a boring mess and LLDB is improving. I am thinking to try to create an initial LLDB port of gdbinit. This should allow me to understand its true potential as reversing debugger and take a decision where to invest time & resources.

Have fun,
fG!

gdbinit744.gz
SHA256(gdbinit744.gz)= 2b223998571069f00edebd606d055c5b370ede5a8cb2b2fe69093c310e32c547

Some comments about plugin-alliance.com protection…

January 9, 2012 in Mac Reversing | 4 comments

It sucks, sort of!

Let me rewind to the beginning :-)
I was very curious about this one because it was announced with great fanfare. I interpreted it as something more robust than it really is – maybe I was over enthusiastic with the “we know this will be cracked someday” sentence.
Some brief comments:

- There are no anti-debug measures.
- There are no binary integrity protections – patch whatever you want!
- It has an annoying constant polling for the license file (I observed at least 5 hits per second – what a meaningless waste of cpu!). This can be patched without any problems :-)
- If you patch the polling, the program continues to work. What this means? License is read once and sets something somewhere (you should know what is the real meaning of this). This is bad, real bad!
- Class-dump is able to extract the license structure, although the fields sequence seems incorrect.
- It has a buffer overflow at getenv – doesn’t check the size of HOME environment variable before strcpy it to an allocated buffer. Bang! It is just a detail. Maybe that something somewhere can be taken care with a “proper” HOME variable – that would be a cool crack (never saw this against a real target).

Audio scene groups usually have great crackers so this will be a nice feast to them. Alliance guys, you must raise your efforts, seriously!

You can find below the source code to a license file decryptor, in case you are curious about its format.
I thought a while about this and I really think there is NO great harm in releasing this code. It doesn’t crack anything and the decrypted version of the license is too damn easy to dump from memory.
Alliance, if you are reading this and disagree please tell me.

This was sort of fun (I am disappointed!) and it’s time to move to more interesting things.
If you are using this protection to protect your assets, make some pressure to be improved!

Enjoy,
fG!

decrypt_pa_licensefilev0.2.c.gz
SHA256(decrypt_pa_licensefilev0.2.c.gz)= 071458084a22f91b126389490737e33bb3a6f0d047e205545b0c36f21c8a7ba0

Update:
I noticed (again) that what I call 1st stage in the decryption code is just decoding of a binary encoding format (modified base64?). I had this in mind the first time I approached this but got sick in between and never remembered this again. I was closing the hex-editor and my brain connected the dots again. It went into plain disassembly reverse without caring of what was behind (not that I care much now). Just a lame detail, too late in the night LOL :-)

Merry Christmas, Happy New Year and some notes…

December 18, 2011 in Uncategorized | 2 comments

Merry Christmas or whatever applies or not to your particular case, and much more important, Happy New Year!
The world is messed up and it will probably get worse in 2012. Cheer up and be positive!

Let me write some quick notes about some stuff:

- Take a look at Snare’s presentation about OS X Rootkits! Available at Papers section or here.
- Check out the fantastic Hopper disassembler and decompiler here or at the Mac App Store. It’s cheap and it’s great! I was quite surprised by its quality since such tool involves quite an amount of work!
- I have made a quick patch for MachOView to support the LC_ENCRYPTION_INFO command. Grab it here. Applies to the latest SVN version.
- The papers section is updated and better organized. It’s quite a collection!
- @DarkLapu has a new blog featuring a few Mac malware posts. Check it out here – great to see more work being published.
I did some analysis into Flashback-G but I have to ask to the person who submitted the sample if I can write about it. It has what I think will be (“cool”) features to be implemented in the near future. By the way, Flashback author I would love to have a talk with you. My PGP key is in the About page, total confidentiality guaranteed! I am just curious about some things in your code ;-)
- @hellais started a sandbox profiles project! The url is https://github.com/hellais/Buckle-Up. Glad to see new stuff coming up.
- Hum I think I am forgetting something else…

I have been working in some interesting stuff related to anti-debugging, rootkits and malware. Maybe I will try to make a presentation of this and submit it somewhere or just publish it here. In 2012 I have to (well, I should) move my ass into a job and stop my damn busy and too fun unemployment status, so let’s see where this ends.

Happy New Year! In crisis lies opportunity.
Live a long and prosper life, and more important, enjoy it!

fG!

Evil iTunes Plugins from Hell

November 22, 2011 in Mac Reversing | 5 comments

Let me start this with some sort of disclaimer. I do not support/condone stealing credit card information, logins, and other personal information. Disclosing security issues is always a double edge sword and a tricky problem with some politics in the mix. This problem was reported almost 3 months ago to Apple. It’s still not fixed after, at least, two iTunes releases. I perfectly understand the business side of fixing bugs and how business most of the times must come first (I have experience in critical environments where these type of problems can cost a lot of money and bad publicity).
But it also seems that governments and so on are exploiting security issues to do all kind of stuff on citizens. This is another interesting case (Google translate it). 3 months is more than enough to take a damn decision on this issue. If not, I maybe did a mistake. Live & learn :-)
So let’s start it…

The following problem seems like a pretty “lame” security issue with iTunes. I came across with it when one reader posted a comment about creating an iTunes plugin to have the same m3u removal functionality I did in my loader (original post here). My idea was to patch iTunes memory on the fly and remove the new m3u thing. To my surprise, this is a pretty easy thing to do with a plugin! Plugins are loaded into iTunes memory space (they are bundles/libraries) and can have total control over its memory. How? By using mach_task_self to acquire a port right (we don’t need any special/elevated permissions since the plugin shares the same permissions of iTunes) and then use mach_vm_write to patch whatever we want.

So how can we use this for devilish things? Well, we can capture those iTunes logins and credit card information. One alternative is to patch and redirect the code that asks for this information, another one is to make the plugin a small debugger, installing a breakpoint into the interesting place and retrieving the information.  Or we could maybe steal information from iTunes backups and upload it somewhere?

It’s not the easiest attack vector but it’s a damn easy one. If we have governments sponsoring backdoors installation then any vector is a good vector.

I did not created the PoC for stealing the iTunes account information. I found where to intercept that information and stopped there. Not interested in creating such thing. I will release the code for the m3u removal plugin (maybe tomorrow). Just need to clean some things – last time I used it was 3 months ago.

And that’s it! A simple security issue by design. Now go patch it Apple, close the damn holes :-)

Have fun,
fG!

Update:

Here’s the code. Check VisualPluginHandler in iTunesPlugIn.cpp, which handles the events (iTunes will be patched when plugin is loaded, unpatched if configuration is called, and patched again if show visualizer is called). The juice of the patching is located at hack.cpp. The mach-o headers information is grabbed from memory because of ASLR in Lion. Final step is to find the cstrings location and patch it.
I haven’t tested this with 64bits iTunes. Based on sample code provided by Apple’s Technical Note 2016. Some unnecessary code is still present and plugin could be improved by adding a configuration panel to enable/disable it. Maybe one of these days :-)

Disable_m3u_v0.1.zip
SHA256(Disable_m3u_v0.1.zip)= 7583d483ecba7dff93b958245e6801000251938a4f87e2dc71c58a4d9a7ee739

Gdbinit v7.4.3

November 4, 2011 in Tools | 2 comments

A small update to gdbinit. Many thanks to snare and Plouj for their reports :-)

Here is the changelog:

Version 7.4.3 (04/11/2011)
- Modified “hexdump” command to support a variable number of lines (optional parameter).
- Removed restrictions on type of addresses used in the “dd” command.
- Modified the assemble command to support 64bits – You will need to recompile nasm since the version shipped with OS X doesn’t supports 64bits (www.nasm.us).
Assumes that the new binary is installed at /usr/local/bin – modify the variable at the top if you need so.
It will assemble based on the target arch being debugged. If you want to use gdb for a quick asm just use the 32bits or 64bits commands to set your target.
- Added “asm” command – it’s a shortcut to the “assemble” command.
- Added configuration variable for colorized prompt. Plouj reported some issues with Ubuntu’s gdb 7.2 if prompt is colorized.

Enjoy!
fG!

gdbinit743.gz
SHA256(gdbinit743.gz)= 18931eac613917b4ef63be7708dfa052e7a0edb629c7d829705e231cf2154451

The latest version can always be found here.

« Older entries § Newer entries »