This causes my 10.6.4 mbp to panic, is this for 32bit? How does one find the 64bit values?

Thanks!

table = (struct sysent *) ( 0x008317f0 – 0x28b0 );

but may i know the website you got the crackmes from MSJ challenge?

Thanks in advance.

BR,
[ Gunther ]

It’s the false breakpoint trick (int3). There is one int3 in the code but that one isn’t breaking. I bet the binary has obfuscated code protecting that int3 that’s confusing gdb. You will have to trace since the entrypoint and manually find where it is (yeah it’s a pain in the ass but works all the time!).
I don’t have the time at the moment to further analyse it! But it seems like an interesting time. First time I ever saw someone using this trick at OS X.
Have fun!

fG!

by the way in gdb, program exits with code 06.

thanks for this fantastic blog

$ cat gdbx
#!/usr/bin/expect
spawn gdb
expect “(gdb) ”
send “exec-file [lindex $argv 0]\n”
interact

$ ./gdbx /bin/ls
spawn gdb
GNU gdb 6.3.50-20050815 (Apple version gdb-962) (Sat Jul 26 08:14:40 UTC 2008)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “i386-apple-darwin”.
(gdb) exec-file /bin/ls
Reading symbols for shared libraries …. done
(gdb) b *0x000023f0
Breakpoint 1 at 0x23f0
(gdb) r
Starting program: /bin/ls
Reading symbols for shared libraries ….. done

Breakpoint 1, 0x000023f0 in ?? ()
$1 = “test”
$2 = 10
$3 = 20
(gdb)

Do you know where i can read about ways of dealing with Dynamic function calls and how to use breakpoints in gdb for such scenarios?

I just read that you was working on “Remote Buddy” too. Could you share your experience?. I’m a little bit lost on this one. I can’t get symbols correctly, and I’m running out of luck using just otx/hexeditor.

I removed _ptraced calls and could locate CopyCore address but i don’t know if that helps. What are RBuddy encrypting on directories?.

Thank you for all your work by the way.

cheers

$ nm -arch i386 /mach_kernel | grep _nsysent
00831730 D _nsysent
0085df7c S _nsysent_size_check

$ nm -arch x86_64 /mach_kernel | grep _nsysent
ffffff800065ac90 D _nsysent
ffffff8000695830 S _nsysent_size_check

navaja:~ navaja$ nm -arch x86_64 /mach_kernel | grep _nosys
ffffff800048996c T _nosys

Does this mean that I should change this line in onyx_the_black_cat.c:
table = (struct sysent *) ( 0×00831730 – 0×2710 );
to this:
table = (struct sysent *) ( 0x0048996c – 0×2710 );
?

Totally forgot about 64bit kernels!

navaja:~ navaja$ sudo kextload /System/Library/Extensions/onyx-the-black-cat.kext
/System/Library/Extensions/onyx-the-black-cat.kext failed to load – (libkern/kext) kext (kmod) start/stop routine failed; check the system/kernel logs for errors or try kextutil(8).

navaja:~ navaja$ sudo dmesg
npvhash=4095
PAE enabled
64 bit mode enabled
Darwin Kernel Version 10.3.0: Fri Feb 26 11:58:09 PST 2010; root:xnu-1504.3.12~1/RELEASE_I386

…

[onyx-the-black-cat] Starting patching …
[onyx-the-black-cat] Finding sysent table…
[onyx-the-black-cat] Sanity check: verifying if number of syscalls arguments are the expected ones
[onyx-the-black-cat] Sanity check: sanity check failed, could not find sysent table.
[onyx-the-black-cat] Error: Cannot find sysent table
Kext com.reverse.put.as.kext.onyx_the_black_cat start failed (result 0×5).
Kext com.reverse.put.as.kext.onyx_the_black_cat failed to load (0xdc008017).
Failed to load kext com.reverse.put.as.kext.onyx_the_black_cat (error 0xdc008017).

Any suggestions?
Perhaps it has something to do with the pt_deny_attach.kext I was using before?
http://bit.ly/96OzCq

gdb$ print (int)[0x42e150 licenseIsValid]
$1 = 0×0

How can I add a breakpoint into this function?

gdb$ break licenseIsValid
Function “licenseIsValid” not defined.

Thank you!

I keep getting:

Function “xxxxx” not defined.
Make breakpoint pending on future shared library load? (y or [n])

But those functions not only are present on the dump (class-dump) and showed by otx, also ARE called (checked sing dtrace)

#!/usr/sbin/dtrace -qs

pid$1::objc_msgSend:entry
{
self->isa = *(long *)copyin(arg0,4);
printf(“-[%s %s]\n”,copyinstr(*(long *)copyin(self->isa + 8,
4)),copyinstr(arg1));
}

Any idea why ?

Thanks for the test

PROTip: Check that 10.6 is your active SDK

In file included from /Users/…/Downloads/onyx-the-black-cat-snowleopard/onyx_the_black_cat.c:30:
/Users/…/Downloads/onyx-the-black-cat-snowleopard/structures.h:439: error: redefinition of ‘struct _pcred’
/Users/…/Downloads/onyx-the-black-cat-snowleopard/structures.h:449: error: redefinition of ‘struct _ucred’
/Users/…/Downloads/onyx-the-black-cat-snowleopard/structures.h:457: error: redefinition of ‘struct extern_proc’
/Users/…/Downloads/onyx-the-black-cat-snowleopard/structures.h:513: error: redefinition of ‘struct kinfo_proc’
/Users/…/Downloads/onyx-the-black-cat-snowleopard/structures.h:515: error: redefinition of ‘struct eproc’

Any chance you can write some new about opcodes? i’m struggling to go from changing the flow of apps into making it stick using hex editor since i don’t know how to what i’m doing. You’re Slidpad tutorial only touches the hex editing and patching only very briefly touches this for the very specific example.

coffee

also when you get a chance can you please look at this post (tinyurl.com/2cnb83d) i made about my problems trying to debug the “Hello world” program in gdb. I think the problem might be with the gdbinit (but what do i know so is possibly wrong). Thanks in advance

about the gdbinit file you’ve made , From what you’ve written it has some issues with snow leopard, would that effect me doing basic RE or is it just effecting the more complex scenarios you guys get into? In short, is it safe gdbinit safe to use for someone like me(newbie) on snow leopard?

as for otx commandline tool, it tell me the same thing as the GUI otx, “otx: main is not a Mach-O file.” , main being the same “Hello world” code in C from your SlidePad tutorial!

also can anyone get into CorruptFire.Com? I’ve been trying to get into the site to see what else is in there but it just times out.

Lastly (fG! is probably going to IP block me soon with all these questions) when should one expect to see a new tutorial ?

may i also use this section to ask two questions?

1) what do i do with the gdbinit file that seems to be popular amongst the folks here? is it useful? what does it do? How is it applied?

2) what is the equivalent command line command for otx that can produces the same output as when done through otx itself, when i do “otool -vt …” the output is not as clean and readable as when done though otx , reason why i need it is because sometimes otx doesn’t recognize the programs i write in c saying “No mach-o file” even for something as simple as the “Hello world” in fG! tutorial, but command line otool has no problems with it.

3) The reason to why the hexadecimal values i see on my machine have extra zeros is because i’m using a 64bit machine (snow leopard) where as the tutorials were written on 32bit?

ie : fG!’s tutorial outout (shell$ vmmap -allSplitLibs 303 | grep xprogram
__TEXT 00036000-00051000)

compared to my out put(vmmap -allSplitLibs 1860 | grep xprogram
__TEXT 0000000100243000-000000010024c000)

or am i wrong?

loving gdbinit.

I can’t wait to see a new tutorial written by you. Maybe a tutorial based on some new app of fair size that allows for teaching of varying techniques in RE would be a dream for someone like me who’s keen on learning but am struggling to find resources, It can’t come soon enough, mean time its back to SlidePad tutorial for me.

I’m desperate to learn RE on macOSX and find your way of showing how its done by tutorials excellent. Following your SlidePad tutorial i learnt a fair bit but i don’t think my skill are up to scratch and i am desperate for more tutorial or a resource you can direct me to to learn more. I know there are “Crackme” tutorials out there but they’re mostly very old (not even intel mac) and i could hardly apply the skills on snowLeopard.

My intention isn’t to become a cracker , i just find RE exciting . To me you’re like a god in mac RE field ,Please show me where i can learn more , something like your slidepad tutorials where everything is up-to-date and explanations on what to do with gdb , otool and class-dump are clear instead of assumed knowledge.

I have never seen that error. Either something was changed with Snow Leopard 10.6.3 or MPress has a new version.
Can you tell me what is the target so I can give it a look?

Thx!
fG!

Towards the end I get an error when trying to use vmmap…

[QUOTE:]
That jump at 0xa09a is very suspicious…If you follow it you will land at this address 0x8fe01010 (might be different for you).
Using again vmmap to understand to what corresponds this address we get:
(…)
__TEXT 8fe00000-8fe2e000 [ 184K/ 184K] r-x/rwx SM=COW /usr/lib/dyld
(…)
[/QUOTE]

Instead of finding out the region that address corresponds to, I get the following error:

[QUOTE]
Terminating app due to uncaught exception ‘VMUDyld fatal error’, reason: ‘Attempt to get _dyld_all_image_infos failed’
[/QUOTE]

Do you have any idea what going on? Do you see this error msg often when using vmmap?

I am using Mac OS X 10.6.3.

http://forums.macosxhints.com/showthread.php?t=111399

i tried to compile it myself…nogood…
hope u get time publish it soon…

cheers

i’m really happy that you are back. I totally agree with you and it sounds funny, but what you proposed for the new direction of this blog is in my mind since a year or so. I planned to develop some utilities for protecting osx-applications, just to make it more difficult to reverse an app. I would love to share my experience, although i don’t have enough time at the moment. But when nothing cropped up, i can start in a month.

Drop me a line, if you want.

i0rek

Thanks a lot for sharing! This is the spirit!

This is the perfect place for a beginner like myself.

Please, keep the excellent work.

Neo

I didn’t find your email address so I’m dropping a comment instead. I’ve been doing plenty of reverse engineering myself, both to make my own app “more secure” and also to take advantage of stuff that you aren’t necessarily meant to tinker with.

I really enjoy(id) your blog and think it’s something that can also help developers. I’m sorry that other people have used your material in a wrong way and wish that there was a community where people could exchange ideas without of misusing them.

Thanks.
- H

I had lot fun reverse engineering Finder.app recently: http://totalfinder.binaryage.com

I have to find a way to update the gdbinit for x86_64 without creating two different versions. Need to explore that and see if it’s possible since I plan to move to Snow Leopard soon !

Have fun !

Forgot to use lipo to extract out the x86_64 / i386.. gdb tried to run the x86_64 hence all the void in eax, ebx..

————————————————————————–[regs]
EAX:Error while running hook_stop:
Value can’t be converted to integer.

(if running context alone, only “Value..” shows)

I’ve tried using it with the original gdb, with your binary gdb and with my compiled (+patched) gdb via darwinbuild.. no avail.

Can you shed some light?

you’re right! Thank you very much.

I followed your instructions (Jan 2009) to compile gdb with darwinbuild. I had to make minor modifications for SnowLeopard. To all whom it may concern:

1.) Build-Target for SnowLeopard 10.6.1 is “10B504″, so change all references from “Build9G55″ to “10B504″

# mkdir Build10B504 (this is for Leopard 10.6.1)
# cd Build10B504
# darwinbuild -init 10B504

2) The “environment-section”

- changed UNAME_RELEASE to “UNAME_RELEASE = 10.0″
- changed RC_RELEASE to “RC_RELEASE = SnowLeopard”
- changed MACOSX_DEPLOYMENT_TARGET to “MACOSX_DEPLOYMENT_TARGET = 10.6″

3) Patching the sources

Following the tutorial, now it’s time to build gdb

# darwinbuild -nochroot gdb

You get an unpatched gdb. All sources are now expanded.

* Patch sources located at /Volumes/Builds/Build10B504/BuildRoot/SourceCache/gdb/gdb-1344

# cd /Volumes/Builds/Build10B504/BuildRoot/SourceCache/gdb/gdb-1344
# patch -p2 < patchfile

* create source-archive /Volumes/Builds/Build10B504/Sources/gdb-1344.tar.gz

# cd /Volumes/Builds/Build10B504/BuildRoot/SourceCache/gdb
# tar cfz /Volumes/Builds/Build10B504/Sources/gdb-1344.tar.gz gdb-1344/*

By executing

# darwinbuild -nochroot gdb

you get a patched gdb. Copy this file as described.

SF666

You should be able to patch without any problems. For what I saw there were no updates on that version, Apple just increased the build number.
Just try to apply the patches and compile it with the method that is in a past article.
I still haven’t upgraded to Snow Leopard so I can’t yet compile a version for it.

fG!

thx for the cool ‘n interesting stuff … I have snow leopard running and would like to benefit from your gdb/gdbinit patches because i like your “softice” like contex view. However on snow leoprad your compiled binary isn’t working. gdb on 10.6.1 seems to be gdb-1344. Is here any possibility to “port” the patches to this version?

Greets,

SF666

Do you have the s bit set and group procmod ?

You have to copy the binary because gdb command in reality is a script at /usr/bin/gdb. It does some magic due to different architectures

However I wonder why the binary has to be in a specific path… Anyhow.

Sorry But I learned something.

Any ideas ? Must find some more free time to try to reproduce this hehehe

To reproduct the bug:
1. download Layers 1.1.4:
http://www.megaupload.com/?d=MD29L66I
2. set breakpoint to 2 different JLE locations:
$ b *0xbc78
$ b *0x7fcb
$ r

Result:
0000bc78 7e5f jle 0x0000bcd9 > gdb shows “Jump is taken”. It jump indeed.
00007fcb 7e5f jle 0x0000802c > gdb shows “Jump is NOT taken”. But It still jumps

Fix:
Search for ## JLE or JNG:
if ((($_zf_flag == 1) && ($_sf_flag == $_of_flag))
Relace with:
if ((($_zf_flag == 1) && ($_sf_flag == $_of_flag)) || (($_sf_flag == 1) && ($_zf_flag == $_of_flag)))

You have a very nice and informative blog!
i know you from the windows world for over 5 years ago.
i am a still reader, but i come twice time almost every day here.
please add the link to wishi’s blog in your “Links” collection. (very nice blog too, wishi!)

Thank you and keep update!

Thank you for the compliment Are you using the binary I provided or compiled it yourself (knowing your blog I would bet on this hehehe) ? I had that same error when I compiled gdb from Apple package out of the source. To compile correctly you need to refer to this process http://reverse.put.as/2009/01/14/how-to-compile-gdb-and-other-apple-open-source-packages-in-mac-os-x/ . You have to use darwinbuild. If you I can upload my image with my building environment.

Keep up the good work with your blog

fG!

You’ve got a very interesting blog. Especially optimizing the Apple Dev Tools to be more reversing friendly is a kewl project. However I gave this a try and it doesn’t work:

gdb$ r
Unable to find Mach task port for process-id 70506: (os/kern) failure (0×5).
gdb$ quit

Even if:

wishi@dawn ~/patched
% sudo chgrp procmod gdb-i386-apple-darwin

wishi@dawn ~/patched
% sudo chmod 2755 gdb-i386-apple-darwin

You don’t get it working. Maybe I miss something crucial?

app: Opacity: http://likethought.com/opacity/
Breakpoint 1, 0x00041ac5 in PCDrawAllLayerInContext ()

no change, when stack is disabled:

gdb$ context
Invalid type combination in equality test.
gdb$ disablestack
gdb$ context
Invalid type combination in equality test.

hope that helps.

Cheers,
Alex

Could you please tell me how to reproduce that ? Which program and at what breakpoint ? I see you have the stack window activated. Does the same happens if you remove it ?

Thanks,
fG!

but now only this

gdb$ context
Invalid type combination in ordering comparison.

shows up. thats the reason, why i downgraded.

thanks

You need to change the input-radix setting

It’s not a trick but a bug ! The only solution is to find the fix in the original gnu version. It might be a bit complicated to track down
The “file” command loads the symbols but it reproduces the bug.

Well it seems you are lucky… While writing this I found a workaround for the problem. You can use “gdb program_to_analyse” or the “file” command inside the gdb. After gdb starts, you need to issue the command “source ~/.gdbinit”. And that’s it… That will workaround and make it usable Weeeeeeeee

fG!

thanks

Thanks for the reminder ! I knew it wasn’t working anymore and it was in my todo list ! I will give it a try and understand why it’s not working… /bin/echo does exist. Something with Leopard changed things

bye!