Tips

You are currently browsing the archive for the Tips category.

How to create IDA C/C++ plugins with XCode

October 31, 2011 in Tips | No comments

This is just a simple post about using XCode to create IDA C/C++ plugins. Nothing fancy here
For great references about IDA SDK plugin writing check out The IDA Pro Book by Chris Eagle and binarypool.com tutorial.

XCode 3.2.6 is the reference. The resulting project loads and compiles without any issues into XCode 4. Why not doing this in 4? Human brain is misterious (3.x still loads by default on my system :-X).

Let’s start…
Load XCode and start a New Project. Use the BSD C Library template, Dynamic type (found in the Framework & Library group). Choose whatever name you want for your plugin (we can rename the binary later).

Next step is to edit project settings. Go to “Project” menu, “Edit Project Settings”. Select the “Build” settings and go to the “Linking” options group. At the “Other Linker Flags” insert “-lida”. Next go to “Search Paths” options group. You need to set the path to the IDA SDK header files (the idasdk/include folder) in the “Header Search Paths” and the path to IDA library (libida.dylib). You can copy this from IDA application into the SDK folder or just point it to the IDA application folder. It’s your call!

The last step here is to add a preprocessor macro. Add “__MAC__” into “Preprocessor Macros” at “Preprocessing” group. You can also define this at your source file. The symbols “__EA64__” and “__X64__” might be useful. Check install_linux.txt at the SDK for their meaning. Probably you should add these at the source file together with the “__LP64__” to distinguish between 32 and 64 bits builds.

To finish this you may want to configure the target options. Since it’s a very simple project you can use the “Project”, “Edit Active Target xxxx” menu. Select the”Build” settings and go to “Packaging” group. Modify the “Executable extension” to “pmc”, remove/change the “Executable Prefix”, and configure the “Product Name” if you wish so.

Now add your plugin code (files should be C++ type), compile and install the plugin (you can configure XCode to execute this step when it finishes compilation – add a new copy files build phase).

If you don’t want to use XCode you can use this Makefile (original from binarypool.com tutorial). Adapt it to your own needs. It’s configured for producing 32bits binaries only.

SRC=formsample.cpp
OBJS=formsample.o
CC=g++
LD=g++
CFLAGS=-arch i386 -D__IDP__ -D__PLUGIN__ -c -D__MAC__ -I/path/to/idasdk/include $(SRC)
LDFLAGS=-arch i386 --shared $(OBJS) -L/path/to/libida -lida --no-undefined -Wl
 
all:
        $(CC) $(CFLAGS)
        $(LD) $(LDFLAGS) -o formsample.pmc

And that’s it!

fG!

Apple Sandbox Guide v1.0

September 14, 2011 in Tips | 5 comments

Here it is a version I consider good enough to come out of draft status. I have added more information – one thing I was especially interested was to match the available operations in the SBPL syntax with the system/kernel functions that they control. This helps to better understand what is the impact of each operation. Appendix B features the lazy IDC script I used to extract this information from the sandbox kernel module (then I had to match with xnu kernel sources).
I tried to provide examples for all operations and make notes of some problems/features where available. Also added a few more references about this subject. The book “Enterprise Mac Security: Mac OS X Snow Leopard” has a pretty good chapter dedicated to this.

I hope it’s useful for you. I have been using it as reference while developing some custom profiles.

Enjoy,
fG!

Apple Sandbox Guide v1.0.pdf
SHA256(Apple Sandbox Guide v1.0.pdf)= c6ae8502a48f09a6309a9485e9bf7794389e969fd9ab65c46d805307a9a1cb8e

vienna.sb.gz
SHA256(vienna.sb)= 0831910e4d2a92253e5b64e92ec0f27e1408b926253eca9eee3f9918036077c0

Apple’s Sandbox Guide v0.1 – early draft release

September 3, 2011 in Tips | No comments

After quite a few hours typing and testing stuff, here it is a very early draft of my attempt to document Apple’s sandbox implementation.
The most difficult part in writing technical documentation or business plans is to get the first draft more or less ready. It’s even worse when there’s not much information about the subject. But here it is something with already quite some significant content.
In this draft I don’t like the writing style – it’s still very confuse and boring. The layout of the reference section is also a bit confuse.

What I would like to hear from you is about the content and the direction I took. If it is useful this way, if it can be (easily) understood, how can it improve, what to add more, etc.
Leave a comment, write a mail, or send me a tweet. Any feedback is appreciated! This is not an easy task

Enjoy,
fG!

Apple Sandbox Guide v0.1.pdf
SHA256(Apple Sandbox Guide v0.1.pdf)= a7e966d03014938af92df5a9f9eb5cfbabf01d3c22dacb701768af2aaca1866d

Update:
An improved version 0.2 is now available. Layout is improved and more content added. Still missing the mach operations. File-write-data appears to be buggy (or I am missing something…).

Apple Sandbox Guide v0.2.pdf

SHA256(Apple Sandbox Guide v0.2.pdf)= a22e5baf0e88413077fdf0b421920c02f02bfae7b897ba49fb6ae5709b3e460d

How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it

May 9, 2011 in Tips | 34 comments

These last days I must be set on a Apple devices destruction mode. First I lost access to my MacBook while trying to increase its physical security – I configured it to boot from network and I lost all access to boot sequence commands. I think my model has an EFI bug because the security-mode set to full doesn’t ask for a password when I start/restart my laptop, only asks for password if I want to boot from other devices. I had to install a Snow Leopard Server to boot from a netboot image (the process works extremely well!) and fix the startup sequence… This of course after quite a few (known) attempts to reset the damn startup sequence – I even removed the NRAM battery, to no effect!

Proceeding in this “destruction” sequence, I set my iTunes to encrypt backups and I forgot the damn password (too many passwords…). Since losing that backup wasn’t a big issue, I tried just to remove the encrypted option but that doesn’t work since it requires the old password. Some web searching without any relevant results. The best clue was to mess with keychain-2.db file, located at /var/Keychains. I tried to move it but it didn’t work, so I went checking its contents, since it’s a sqlite3 database. The interesting field is located at the genp table and it is something like (your results should differ, at least the first row, which is “rowid” field):

153||||||||||||||BackupPassword|BackupAgent|||apple|dk

So I deleted this row (delete from genp where rowid = 153) and reconnected my iPad to iTunes. I tried to remove the Encrypt iPad Backup option but it asked again for the password. Fill it with random junk and voila, problem solved
A new, unencrypted, backup will start. After it finishes (or you can stop it), you will be able to set a new password and the encrypted backup will start.

Most probably you will need to have your iOS device jailbroken to access that file. If you can access that file from a file system browser then you can edit it at your iTunes computer and copy back to the device (I doubt that this is possible with devices not jailbroken).

That’s it!
fG!

Update: This method doesn’t seem to be valid in iOS 5.x. The database has changed and the fields appear to be encrypted. Need to do some research on this.

How to compile GDB and other Apple open source packages in Mac OS X

January 14, 2009 in Tips, Tools | 16 comments

I wanted to recompile so I can modify it’s source and add some custom patches to enhance it’s output… Easier said than done !!!!
There’s no much information around about this and my first attempt was by downloading gdb source package from Apple and trying to compile it. Didn’t compiled out of the box so I had to fix here and there and finally it compiled, but it didn’t work. Searching the web for more ideas and finally understood I had to use darwinbuild environment for this task. Install darwinbuild, follow instructions (crappy ones I might add!) and bang, doesn’t compile due to huge dependencies from include files… Fix here and there and still no luck. Searching the web again and finally the misterious parameter to darwinbuild, -nochroot ! Compile and voila, it works

And now it’s very easy to do. You should have XCode installed. Follow these steps:

1) Download darwinbuild from their SVN repository (Mac SVN client available here http://homepage.mac.com/martinott/ )
1.1) Snow Leopard already has svn client by default so no need to download. Instructions on how to download,compile and install darwinbuild are here. Macports can too be used to install.
2) Compile and install darwinbuild:

$ make ; sudo make install

3) Create the DMG file and initialize darwinbuild environment (you should use 2 gigabytes for Snow Leopard because of the 64bit version):

The plists and build numbers are available at http://svn.macosforge.org/repository/darwinbuild/trunk/plists/

$ hdiutil create -size 1G -type UDIF -fs HFSX -volname Builds -uid 0 -gid 0 -attach Builds.dmg
$ sudo sh
# vsdbutil -a /Volumes/Builds
# cd /Volumes/Builds
# mkdir Build9G55 (this is for Leopard 10.5.6) (Snow Leopard 10.6.2 is Build10C540)
# cd Build9G55
# darwinbuild -init 9G55 (you need Internet connection)
# darwinxref edit

Insert the following after darwin tag (this will make it compile only for i386):
environment = {
INSTALLED_PRODUCT_ASIDES = YES;
MACOSX_DEPLOYMENT_TARGET = 10.5;
NEXT_ROOT = “”;
RC_ARCHS = i386;
RC_JASPER = YES;
RC_NONARCH_CFLAGS = “-pipe -no-cpp-precomp”;
RC_OS = macos;
RC_PRIVATE = /private;
RC_RELEASE = Leopard;
RC_XBS = YES;
SEPARATE_STRIP = YES;
UNAME_RELEASE = 9.6;
UNAME_SYSNAME = Darwin;
};

For Snow Leopard use this (it will build 32 and 64 bit binaries):

environment = {
INSTALLED_PRODUCT_ASIDES = YES;
MACOSX_DEPLOYMENT_TARGET = 10.6;
NEXT_ROOT = “”;
RC_ARCHS = “i386 x86_64″;
RC_JASPER = YES;
RC_NONARCH_CFLAGS = “-pipe”;
RC_OS = macos;
RC_PRIVATE = /private;
RC_RELEASE = SnowLeopard;
RC_TARGET_CONFIG = MacOSX;
RC_XBS = YES;
SEPARATE_STRIP = YES;
UNAME_RELEASE = 10.0;
UNAME_SYSNAME = Darwin;
};

Editor used is VI. Save and quit. Update: If you have a problem with an invalid property list, you need to replace the quotes in the block you just pasted (copy&paste problems). That should fix the problem.

# darwinbuild -nochroot gdb

Update:
The -nosource option has been added to recent darwinbuild versions. This option will allow you to patch directly into BuildRoot/SourceCache/.
The first time you shouldn’t use this option so darwinbuild will download gdb package. After that you can use it if you want to patch directly gdb source files (that’s what I do with my gdb patches). It’s much easier and faster than having to patch and compress the whole gdb source. After you patch, you just issue “darwinbuild -nochroot -nosource gdb” and this will not unpack the original source but instead use whatever is at SourceCache.

There are problems with libiconv in Snow Leopard. Configure picks the lib available at /usr/local/lib and this generates undefined symbols when compiling. The solution is to link that to /usr/lib/libiconv.dylib or to edit the Makefile. To edit the Makefile you either need to edit the original tar.gz available at Sources dir (and repackage it), or you can issue “darwinbuild -nochroot gdb”, wait for error, then edit BuildRoot/SourceCache/gdb/gdb-1344/src/gdb/Makefile.in , search for LIBICONV and replace with “LIBICONV = /usr/lib/libiconv.dylib”. I have tried to modify the Makefile to pass the correct path to configure but it’s not working… Bah !!! I don’t feel like exploring this (darwinbuild documentation is CRAP) so MacGyver tactics will have to do the job

If you have some problems compiling for x86_64 then remove that architecture from RC_ARCHS. It worked without any problem for me. The final binary will be a fat binary having i386 and x86_64 versions.

Update End.

Wait for the compilation to finish…
Go to Roots/gdb/gdb-768.root*/usr/libexec/gdb (in Snow Leopard it should be gdb-1344.root*). You should have a gdb-i386-apple-darwin. Backup the original and copy this one over.

# cp /usr/libexec/gdb/gdb-i386-apple-darwin /usr/libexec/gdb/gdb-i386-apple-darwin.orig
# cp gdb-i386-apple-darwin /usr/libexec/gdb/

Launch gdb and see if it works. It should It’s easy after you find how

References:

Now I just need to finish the patches… And tha tha that that’s all folks!

fG!

Mailing list and IRC channel

January 5, 2009 in Tips | No comments

I forgot to mention this previously but there is a mailing list available at http://0×90.org/mailman/listinfo/xso and an IRC channel at irc.freenode.net, #osxre !

It’s still a small community but more people are showing up and IRC is always a good communication tool.

I’m not administrator of both, but YOU are invited to join

fG!

« Older entries