Tips

I forgot to mention this previously but there is a mailing list available at http://0×90.org/mailman/listinfo/xso and an IRC channel at irc.freenode.net, #osxre !

It’s still a small community but more people are showing up and IRC is always a good communication tool.

I’m not administrator of both, but YOU are invited to join

fG!

I was trying to add some features to gdbinit and I needed global variables. I already knew that feature wasn’t working on Mac OS X gdb and I was puzzled why it didn’t work. Some quick tests on a Linux box couldn’t reproduce the same behaviour so something is wrong with Apple’s gdb version. I finally found how it happens !
A very simple .gdbinit to test things would be:

set $bugtest = 10
define bugtest
output $bugtest
end

Replacing our beloved .gdbinit with this simple version and let’s see what happens:

$ gdb
GNU gdb 6.3.50-20050815 (Apple version gdb-696) (Sat Oct 20 18:16:54 GMT 2007)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin".
warning: --arch option not supported in this gdb.
 
(gdb) bugtest
10(gdb)

Now another test:

$ gdb antidebug
GNU gdb 6.3.50-20050815 (Apple version gdb-696) (Sat Oct 20 18:16:54 GMT 2007)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin"...
warning: --arch option not supported in this gdb.
Reading symbols for shared libraries .. done
 
(gdb) bugtest
void(gdb)

Can you spot the difference ? This should help…

$ gdb
GNU gdb 6.3.50-20050815 (Apple version gdb-696) (Sat Oct 20 18:16:54 GMT 2007)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-apple-darwin".
warning: --arch option not supported in this gdb.
 
(gdb) exec-file antidebug
Reading symbols for shared libraries .. done
(gdb) bugtest
10(gdb)

So for some reason (bug ?!?!?) the .gdbinit global variables are lost if we start gdb with a program as argument and they are kept if we start gdb without any argument. Attaching to an already running process has no problems. Using the same trick with one of those unmodified .gdbinit (7.0 or 7.1) and everything goes smooth, no errors

GDB source code is huge and the changelog might not be helpful to track this problem I was trying to backport the memory search feature implemented in latest gdb versions but I gave up ! At least I have a workaround…

Excellent book ! Recommended if you are into Reverse Engineering and not only specific for IDA.

Well written with lots of examples. Really enjoyed it. Well worth the money (and even cheaper if you use Amazon Market Place).

I’m back with huge amounts of work so my reversing efforts are on a halt. Let’s see if things get calm again so I can try some ideas

Hello,

If you want to have some fun and maybe improve your security/reversing skills, you might try this site http://www.dareyourmind.net !
It has some nice challenges in different fields (reversing is only for Windows, but hey you must be able to reverse for anything!).

Have fun !

It’s useful to change /etc/hosts, specially with protections requesting online keys.
After editing /etc/hosts, you need to refresh OS X NetInfo Database.
Just run the following command:

sudo niload -v -m hosts . < /etc/hosts

And then flush cache with:

lookupd -flushcache

For Snow Leopard the command has changed. It is now:

dscacheutil -flushcache

And that’s it!

Since there are programs with serial numbers tied to network card mac address it might be useful to change it.
There are some fancy GUI programs for this but it’s faster from terminal:

ifconfig en0 lladdr X:XX:XX:XX:XX:XX

And that’s it…