Comments for Reverse Engineering Mac OS X

Comment on Anti-debug trick #1: Abusing Mach-O to crash GDB by Anon

Anon — Sat, 04 Feb 2012 02:28:35 +0000

Antidebug tricks like these are just what I was looking for. Thanks and keep em coming!

-anon

Comment on My first crackme… from hell, I hope :-) by hexminer

hexminer — Wed, 01 Feb 2012 18:52:28 +0000

Very nice “heisenberg” crackme!
My arsenal: VMware + IDA + mac_server + attach to process.
This python script for IDA for deobfuscate string:
p = ScreenEA()
s = []
while(Byte(p) == 0xc6):
s.append(chr(Byte(p+3)))
p = p + 4
p = p + 4
i = 0
while(Byte(p) == 0×83):
s[i] = chr(ord(s[i]) ^ Byte(p+2))
p = p + 10
i = i + 1
MakeComm(ScreenEA(), ”.join(s))

Comment on We have a crackme winner!!! by FriendlyZ

FriendlyZ — Tue, 31 Jan 2012 16:48:01 +0000

I’d be interested in learning some of the tricks right now. Still quite stuck myself

Comment on We have a crackme winner!!! by fG!

fG! — Tue, 31 Jan 2012 16:20:29 +0000

Learning that stuff was really the objective

Comment on We have a crackme winner!!! by haggai

haggai — Tue, 31 Jan 2012 16:13:36 +0000

I could personally use a hint! I’ve been getting nowhere in attacking the crackme (but learning lots things about mach-o files, dynamic loading, and gdb).

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Mon, 30 Jan 2012 21:44:05 +0000

No, you can’t use it if you lost the password and restored your phone without using this trick first.
The only way to recover is to try to crack the password, check http://www.elcomsoft.com for such software.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Me

Me — Mon, 30 Jan 2012 21:04:31 +0000

If i am on 4.x that means i have to JB??? coz the backup file on my computer and now my iphone is set as new iphone, please don’t tell me i cant play with file which is on my comp. I NEED TO RESTORE IT BACK ((((

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Batigool

Batigool — Mon, 30 Jan 2012 15:16:10 +0000

It will be my best news for 2012 already, what software i should use to edit the mentioned file plz, as i am not that expert on these matters but i will learn everything to get my orginal phone back.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Mon, 30 Jan 2012 11:59:56 +0000

If you are still in 4.x then you should be able to use the method described here.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Batigool

Batigool — Mon, 30 Jan 2012 08:19:41 +0000

Hi there,
Guys you are my only hope, I backed up my my iphone ver. 4.3.3 with a password on itunes, my iphone is not jailbroken, i forgot my password as i tried all the words possible but with no luck, so my next step is to deal with sqlite editor to change the mentioned file?

Comment on My first crackme… from hell, I hope :-) by fG!

fG! — Fri, 27 Jan 2012 10:44:56 +0000

Hello,

Just some old tricks not usually used in Mac and some own twist

fG!

Comment on My first crackme… from hell, I hope :-) by haggai

haggai — Fri, 27 Jan 2012 07:14:15 +0000

(gdb) x/4i 0x20a5
0x20a5 : pop %edx
0x20a6 : add $0×7,%edx
0x20a9 : jmp 0x20aa
0x20ab : loop 0x20fd
(gdb) x/2i 0x20aa
0x20aa : jmp *%edx
0x20ac : push %eax

That is so mean. Did you invent this trick?

Comment on My first crackme… from hell, I hope :-) by fG!

fG! — Thu, 26 Jan 2012 02:13:09 +0000

In the limit everything is security through obscurity and that was really the objective here.
Your assumptions are oversimplified and the attach approach doesn’t imply a critical hole.
I don’t want it to be uncrackable, I want people to learn and submit their approaches so everyone can benefit.

Comment on My first crackme… from hell, I hope :-) by 010b

010b — Thu, 26 Jan 2012 01:30:34 +0000

Interesting but disappointingly seems to be mainly security through obscurity. Otx, Hopper, IDA, strings, and otool don’t initially work on the binary but attaching in gdb and disassembling with x/25i or so does. Then it just comes down to breaking the assembly up and working though it. To increase difficulty with the path you’re taking you could always have the process fork itself to stop gdb from attaching. Then you’d force people to fix the binary and analyze it statically.

Comment on My first crackme… from hell, I hope :-) by fG!

fG! — Tue, 24 Jan 2012 23:05:24 +0000

That command (LC_DYLD_INFO_ONLY) is most probably introduced in Snow Leopard so Leopard dyld doesn’t recognize it and refuses to run
fG!

Comment on My first crackme… from hell, I hope :-) by tamaroth

tamaroth — Tue, 24 Jan 2012 22:08:35 +0000

And I’m in a pickle, I’m running Mac OS X 10.5.8 and the crackme doesn’t sadly run, all I get is:

dyld: unknown required load command 0×80000022
Trace/BPT trap

But I guess that’s the part of the crackme. For now I’m surprised that you can do such weird things with sections and I’m trying to figure out how to fix this, maybe once I get my OS updated I will have a better look at it.

Comment on My first crackme… from hell, I hope :-) by cHoco

cHoco — Tue, 24 Jan 2012 09:31:34 +0000

I’m pretty impressed that this thing runs ahahahah
After long time without reversing this should be pretty fun, obviously standard tools don’t work work with this, had to attach gdb to even take a glimpse of what’s happening don’t know if it’s better to try to fix the current binary or write a disassembler ad hoc Now I know what to do after the exam tomorrow! And let me tell you, nice functions names you chose

Comment on Some comments about plugin-alliance.com protection… by fG!

fG! — Tue, 24 Jan 2012 01:43:10 +0000

Oh yeah that stage one was really a dumb thing. I was probably under influence of their lame protection

Comment on Gdbinit v7.4.4 – the skip command by Flybro

Flybro — Sun, 22 Jan 2012 03:30:25 +0000

Hi mate,

I’m not sure but in hexdump definition probably line with “hexdump_aux $data_addr+$_i” should be changed to “hexdump_aux $arg0+$_i”.

Cheers,
F.

Comment on Some comments about plugin-alliance.com protection… by simblism

simblism — Sat, 21 Jan 2012 23:46:06 +0000

[licenseData decodeBase64WithNewLines:NO]; does the same like your stage one code
i thought that polling is done via notficationcenter…. but this is ridiculous !!!

Comment on Gdbinit v7.4.4 – the skip command by Flybro

Flybro — Sat, 21 Jan 2012 11:32:15 +0000

Hi mate,

Sorry, you’re right, my bad. For some weird reason this definition wasn’t works but now is fine.
But, I have question, perhaps you know how to display info about reaching breakpoint, like “Breakpoint 1, 0x00001c12 in streamer (), but under context? With long context it’s sometime hard to look up and check witch break was called.

Cheers,
F.

Comment on Gdbinit v7.4.4 – the skip command by fG!

fG! — Fri, 20 Jan 2012 15:04:20 +0000

Hello,

That behavior is already implemented since a few versions ago. Or am I misunderstanding you on this ?

fG!

Comment on Gdbinit v7.4.4 – the skip command by Flybro

Flybro — Fri, 20 Jan 2012 13:08:51 +0000

Hi, mate

Just installed yours gdbinit and have suggestion: why don’t you add, for example, under “define n”, set $oldeax = $eax.
In this way, registers change colors only if their value change. If the value in the next step will be the same, color change to white and remain white till change; if the value will be different from the last step color change to red but again, if in the next step will be the same, color change to white.

Cheers,
F.

Comment on Papers & Presentations by Lord Noteworthy

Lord Noteworthy — Thu, 12 Jan 2012 18:57:58 +0000

Nice papers on reversing inside MAC OS X platform, really like you site, keeps posting.
Noteworthy.

Comment on Fixes for the TrustedBSD backdoor – Rex the wonder dog v0.2 by fG!

fG! — Wed, 11 Jan 2012 12:23:49 +0000

You can retrieve those addresses by using the nm command on /mach_kernel. Use the -arch i386 option for the x86 symbols (default is x86_64).

Comment on Fixes for the TrustedBSD backdoor – Rex the wonder dog v0.2 by Solomon

Solomon — Wed, 11 Jan 2012 08:06:22 +0000

/*
The symbol address for kauth_cred_setuidgid().
This is for Snow Leopard 10.6.8
0×00470092 T _kauth_cred_setuidgid

for Lion 10.7.1
0x0054cb90 T _kauth_cred_setuidgid
*/

I was wondering how you got those symbol addresses

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Stilldoesn'twork

Stilldoesn'twork — Mon, 02 Jan 2012 05:14:10 +0000

Thanks, I really have no clue about this kind of stuff. It’s not anything important, mostly save data for apps/games that I want to recover.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Sun, 01 Jan 2012 22:07:40 +0000

Humm it seems that Apple changed the db format in iOS 5.x. The fields are probably obfuscated/encrypted and this doesn’t applies anymore to iOS 5.x.
Need to research a little more about this.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Stilldoesn'twork

Stilldoesn'twork — Sun, 01 Jan 2012 04:23:57 +0000

It is iOS 5.1, I recently updated it because the untethered jailbreak came out.
It is a 4th generation ipod touch.

Thanks

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Fri, 30 Dec 2011 01:23:29 +0000

Hello,

I have no idea about the missing row. Is it iOS 4.x or 5.x ?

fG!

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Stilldoesn'twork

Stilldoesn'twork — Fri, 30 Dec 2011 00:01:57 +0000

Hi, thanks for your explanation.
However, I can’t find the ‘BackupPassword|BackupAgent|||apple|dk’ row!
I have used iFile and SSH, but in neither of these does the row appear. Do you have
any suggestions to what I can do? Could it be that the row is there but hidden?
Unfortunately I stored all of my passwords on my ipod, and after updating it I can’t
access the password app…

Thanks for your help

Comment on Display Mach-O headers plugin for IDA by peter

peter — Tue, 27 Dec 2011 23:49:20 +0000

I found your plugin very useful , but I can understand how to compile for 64 bit .

Where in Xcode project do I have to define the __EA64__ variable ?

I try to put in Preprocessing /preprocessor macro near __MAC__ , the built is successful but the plugin doesn’t show in ida plugin menu . I have renamed the extension to pmc64 . I don’t change anything in the project but I don’t know if I have to link with lida64

Many thanks for you work

Comment on How to compile GDB and other Apple open source packages in Mac OS X by fG!

fG! — Fri, 23 Dec 2011 21:12:21 +0000

Hello,

You need to use the latest version for Lion, which should be 1708 (or at least 1705). You can do it manually at opensource.apple.com, on 10.7.2 section.
Lion introduced new load commands and gdb is complaining about that. You might want to download my latest patch version (0.3).

fG!

Comment on How to compile GDB and other Apple open source packages in Mac OS X by mescalinum

mescalinum — Fri, 23 Dec 2011 20:52:59 +0000

hi,
I tried following your guide (my system is OSX 10.7.2). after building, I copied the new gdb-i386-apple-darwin to /usr/libexec/gdb
but I notice some new error messages “unable to read unknown load command…” (moreover, it didn’t fix the clear symbols bug)

bash-3.2$ gdb test
GNU gdb 6.3.50-20050815 (Apple version gdb-1344) (Fri Dec 23 20:42:42 UTC 2011)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “x86_64-apple-darwin”…unable to read unknown load command 0×24
unable to read unknown load command 0×26
unable to read unknown load command 0×24
unable to read unknown load command 0×26
unable to read unknown load command 0×24
unable to read unknown load command 0×26
Reading symbols for shared libraries .. done
unable to read unknown load command 0×24
unable to read unknown load command 0×26

(gdb) bugtest
void(gdb) q

here is the original gdb:

bash-3.2$ gdb test
GNU gdb 6.3.50-20050815 (Apple version gdb-1708) (Thu Nov 3 21:59:02 UTC 2011)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “x86_64-apple-darwin”…Reading symbols for shared libraries .. done

(gdb) bugtest
void(gdb) q

Comment on Display Mach-O headers plugin for IDA by Parity Error

Parity Error — Tue, 20 Dec 2011 17:40:57 +0000

It’s surprising there’s no tutorial or concise updated docs relating to gdb — you’re really the only person offering any kind of solid knowledge on it’s workings. Thank you! The additional tips are very helpful

Comment on Merry Christmas, Happy New Year and some notes… by snare

snare — Tue, 20 Dec 2011 13:08:07 +0000

Great work mate, and thanks for the mention. You should put some of your research together and submit to one of the many conferences coming up.

Happy new year!

Comment on Merry Christmas, Happy New Year and some notes… by Xorbox

Xorbox — Sun, 18 Dec 2011 16:38:40 +0000

Thanks for sharing such amazing research and work.

Marry Christmas and Happy New Year!

Comment on Evil iTunes Plugins from Hell by fG!

fG! — Wed, 14 Dec 2011 00:15:47 +0000

It requires a well designed plugins API and not the current mess

Comment on Evil iTunes Plugins from Hell by gb123

gb123 — Tue, 13 Dec 2011 21:48:00 +0000

Fixing this would require some pretty fundamental changes to how plugins are implemented and break many (if not all of the) existing ones, no?

Comment on Mac OS X Kernel debugging with VMware by Travis

Travis — Thu, 08 Dec 2011 03:35:50 +0000

Very good & mart way to debug kernel. Thanks for share!

Comment on Display Mach-O headers plugin for IDA by fG!

fG! — Wed, 07 Dec 2011 01:09:45 +0000

Get Chris Eagle’s book on IDA and also Amit Singh’s Mac OS X Internals. They are awesome references!
http://reverse.put.as/2009/01/14/how-to-compile-gdb-and-other-apple-open-source-packages-in-mac-os-x/ has all the steps you need to compile gdb yourself.
To patch is a matter of using the -nosource trick, or downloading the package, unpack and patch, pack again, and replace it into darwinbuild download dir. I prefer the -nosource since it’s faster.

1705 is the latest one, which is Lion compatible (due to full ASLR implementation).

Comment on Display Mach-O headers plugin for IDA by Parity Error

Parity Error — Sat, 03 Dec 2011 20:27:08 +0000

heh. I think it’s for me to get a book on IDA, since I’m quite lost. (I still haven’t figured out how to patch the gdb that I built from source, so I’m using yours until i get the know-how).

Are any of your compiled darwin builds x86_64 w/patches in your github repo? Just wondering. — I have the 1705 you’ve posted here, although didn’t know if it’s the latest *until i can patch mine*.

Thank you again for all of your helpful tips — I truly appreciate it.

Comment on Display Mach-O headers plugin for IDA by fG!

fG! — Fri, 02 Dec 2011 02:20:33 +0000

Check the Patch* functions in IDC (PatchByte for example). I usually use the IDC console to quickly modify the needed bytes.

Comment on Display Mach-O headers plugin for IDA by Parity Error

Parity Error — Fri, 02 Dec 2011 01:41:00 +0000

Thanks for the reply. I’m a bit confused on where to patch the calls, is that something I do in IDA?

I’m definitely with you on the using gdb for mostly everything; after-all, much of what I’ve learned is from you. Hopefully one of these days I’ll get some time to actually figure out how to use the IDA beast.

Comment on A new gdb frontend and some pics from the past… by endy

endy — Tue, 29 Nov 2011 09:15:06 +0000

I use this now:

GNU gdb 6.3.50-20050815 (Apple version gdb-1344)

and still shows that message.

Comment on How to compile GDB and other Apple open source packages in Mac OS X by endy

endy — Tue, 29 Nov 2011 09:12:43 +0000

OK i solve that. My problem has described in update of article.

Comment on How to compile GDB and other Apple open source packages in Mac OS X by fG!

fG! — Mon, 28 Nov 2011 19:36:36 +0000

Hello
You need to provide more info on this problem. Have you patched anything ?

Comment on How to compile GDB and other Apple open source packages in Mac OS X by endy

endy — Mon, 28 Nov 2011 17:04:03 +0000

I have a problem with this output:

ld: symbol(s) not found for architecture i386
collect2: ld returned 1 exit status
make[4]: *** [gdb] Error 1
make[3]: *** [/Volumes/Builds/Build10A432/BuildRoot/private/var/tmp/gdb/gdb-1344.obj/i386-apple-darwin--i386-apple-darwin/stamp-build-gdb] Error 2
make[2]: *** [build-gdb] Error 2
make[1]: *** [build] Error 2
make: *** [install] Error 2

How to solve this?

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by UNFORTUNALTLEY SCREWED

UNFORTUNALTLEY SCREWED — Sat, 26 Nov 2011 02:10:10 +0000

thanks i think i figured it out

Comment on Gdbinit by Cykey

Cykey — Fri, 25 Nov 2011 23:37:40 +0000

Hi, I “installed” gdbinit but now Xcode (4.2, Mac OSX Lion 10.7.2.) doesn’t show the “output” for my command-line app. Is their a way to disable it?

Thanks.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Fri, 25 Nov 2011 19:37:18 +0000

Download a sqlite3 client for Windows. There should be quite a few available.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by UNFORTUNALTLEY SCREWED

UNFORTUNALTLEY SCREWED — Fri, 25 Nov 2011 19:30:41 +0000

how would i do this on a windows 7 pc?

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by 3rbal

3rbal — Fri, 25 Nov 2011 10:45:03 +0000

Hi!!! You tried multiple times like what? 20? With me its not workin… :s

Comment on A new gdb frontend and some pics from the past… by fG!

fG! — Thu, 24 Nov 2011 11:25:11 +0000

You should use gdb version from Apple/Xcode. GNU gdb 7.x is useless in OS X.

Comment on A new gdb frontend and some pics from the past… by endy

endy — Thu, 24 Nov 2011 09:12:36 +0000

I’ m enthusiastic with this app.But it says always “Cannot open target”. I ‘m in MacOsX 10.6.8 i have gdb 7.3 from macports. what can i do?
I think that has related to gdb –interpreter=mi.
Sorry for my english.

Comment on Evil iTunes Plugins from Hell by Bright Valve

Bright Valve — Tue, 22 Nov 2011 13:51:19 +0000

Forgot to mention that a user first needs to write some values into the Mail preferences file before those plug-ins are loaded by Mail.

But after that, you don’t even need SIMBL to inject code into Mail, it will load the code all by itself

A bit old, but still mostly to the point: http://eaganj.free.fr/weblog/?post/2009/07/14/Demystifying-Mail.app-Plugins-on-Leopard
(although [NSObject poseAsClass] doesn’t exist anymore in 64-bit Cocoa, the method swizzling technique still works).

Comment on Evil iTunes Plugins from Hell by fG!

fG! — Tue, 22 Nov 2011 11:48:11 +0000

Uau that’s also a complete piece of crap :-/
I knew some Safari hacks are implemented more or less with that (SIMBL) but not about Mail.app (not a user).

Good tip

Comment on Evil iTunes Plugins from Hell by Bright Valve

Bright Valve — Tue, 22 Nov 2011 07:08:01 +0000

Same with other Apple apps that support plug-ins, like Mail. In fact, because Mail lacks an actual plug-in API, the way for plug-ins to operate is to manipulate the Objective-C runtime to redirect internal Mail calls to plug-in code (so-called “method swizzling”).

It’s trivial for a plug-in to hook the message-sending/-receiving parts of Mail and to silently log/forward all incoming and outcoming mail.

Comment on Gdbinit by fG!

fG! — Tue, 22 Nov 2011 04:06:25 +0000

You can check the header of the script or use the help command (“help user” shows all commands implemented by gdbinit).

Comment on Gdbinit by ben

ben — Sat, 19 Nov 2011 17:50:51 +0000

hm… i wasnt able to find a proper documentation anywhere… is there one?
(new commands with syntax and what they do)
and is this lion ready?

Comment on Gdbinit v7.4.3 by DrakonHaSh

DrakonHaSh — Fri, 18 Nov 2011 10:53:32 +0000

bug on FreeBSD 8.1 + GNU gdb 6.1.1 [FreeBSD]
( VMWare Image: http://sourceforge.net/projects/thoughtpolicevm/files/FreeBSD/freebsd-8.1/freebsd-8.1-i386.zip/ )
=>
Error while running hook_stop:
Invalid type combination in ordering comparison.

# uname -a
FreeBSD .localdomain 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

# gdb ./a.out
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “i386-marcel-freebsd”…
gdb$ r

Program exited with code 0173.

Error while running hook_stop:
Invalid type combination in ordering comparison.

=========================================
gdb$ exec-file /usr/bin/uname
gdb$ r
(no debugging symbols found)…(no debugging symbols found)…FreeBSD

Program exited normally.
Error while running hook_stop:
Invalid type combination in ordering comparison.

=========================================
gdb$ shell readelf -l /usr/bin/uname

Elf file type is EXEC (Executable file)
Entry point 0×8048500
…

gdb$ break *0×8048500
Breakpoint 2 at 0×8048500
gdb$ r
(no debugging symbols found)…(no debugging symbols found)…Error while running hook_stop:
Invalid type combination in ordering comparison.

Breakpoint 1, 0×08048500 in ?? ()
gdb$ ni
Error while running hook_stop:
Invalid type combination in ordering comparison.
0×08048502 in ?? ()
gdb$ ni
Error while running hook_stop:
Invalid type combination in ordering comparison.
0×08048503 in ?? ()
gdb$

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Thu, 17 Nov 2011 23:22:32 +0000

You probably need to try Elcomsoft tools. I don’t know about any other solution to decrypt your backups.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by bre

bre — Thu, 17 Nov 2011 03:35:32 +0000

i was trying to update my ipod. it updated it then deleted everything. there is a backup encrypted password but i dont know it. is there anyway to get around it and recover all my information

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by fG!

fG! — Tue, 15 Nov 2011 00:13:20 +0000

Sorry I can’t help you to crack it. You have lots of information available here and at other sites to help you learn and solve your “problem”.

Comment on Gdbinit v7.4.3 by snare

snare — Tue, 15 Nov 2011 00:08:58 +0000

Love your work mate!

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by Darius

Darius — Mon, 14 Nov 2011 22:31:19 +0000

maybe if you tell me how to crack, i will, but explain as for a little children, i use mac only from 3 months, just for design, and maybe i will learn to crack it who knows

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by fG!

fG! — Mon, 14 Nov 2011 22:02:04 +0000

Sure you can, you need to crack the program you don’t want cracked.
Or just crack Software Passport

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by Darius

Darius — Mon, 14 Nov 2011 21:38:43 +0000

now i can generate licence that works but it’s show a messahe that say’s that the program was made with a trial version, can you modify the program to not show the notification screen about the trial version ,

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by Darius

Darius — Mon, 14 Nov 2011 20:16:04 +0000

the problem is that i protected the apps with licence version of softwarepassport
and now has expired and when i ‘m trying licence generated with trial version don’t work allways

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by Darius

Darius — Mon, 14 Nov 2011 14:08:21 +0000

can you tell me another method to generate licence and to protect mac apps

Comment on Gdbinit by DrakonHaSh

DrakonHaSh — Mon, 14 Nov 2011 13:00:48 +0000

bug on FreeBSD 8.1 + GNU gdb 6.1.1 [FreeBSD]
=>
Error while running hook_stop:
Invalid type combination in ordering comparison.

# uname -a
FreeBSD .localdomain 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

Program exited with code 0173.

Error while running hook_stop:
Invalid type combination in ordering comparison.

=========================================
gdb$ exec-file /usr/bin/uname
gdb$ r
(no debugging symbols found)…(no debugging symbols found)…FreeBSD

Program exited normally.
Error while running hook_stop:
Invalid type combination in ordering comparison.

=========================================
gdb$ shell readelf -l /usr/bin/uname

Elf file type is EXEC (Executable file)
Entry point 0×8048500
…

gdb$ break *0×8048500
Breakpoint 2 at 0×8048500
gdb$ r
(no debugging symbols found)…(no debugging symbols found)…Error while running hook_stop:
Invalid type combination in ordering comparison.

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by fG!

fG! — Mon, 14 Nov 2011 12:35:35 +0000

Sorry, I can’t

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by Darius

Darius — Mon, 14 Nov 2011 06:37:30 +0000

yes, it a demo version. i see that you “cracked” your version, can you share it?

Comment on Display Mach-O headers plugin for IDA by fG!

fG! — Mon, 14 Nov 2011 01:13:28 +0000

I do not use IDA as a debugger since I got used to gdb and pretty happy with it. To beat the anti-debug in IDA you just need to patch it. As far as I remember you can patch inside IDA database and the debugger will be able to recognize those changes. The only problem are code checksums, but those are still rare in OS X world. It’s an extra step that might be worth if you want and are happy with IDA debugger.
For example, just patch the ptrace calls to beat the classic PT_DENY_ATTACH.

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by fG!

fG! — Mon, 14 Nov 2011 01:09:33 +0000

Are you using a demo license? I think it doesn’t allow what you are looking for.

Comment on Display Mach-O headers plugin for IDA by Parity Error

Parity Error — Mon, 14 Nov 2011 00:48:42 +0000

The biggest problem I have with IDA is that little tricks that work with GDB (for example anti-anti-debug), I have no idea how to do in IDA. I definitely like the concept of how IDA works, although since GDB is all that I really know, there is definitely a learning curve. I would love to be able to utilize it in the manner that it’s capable of, I just don’t know where to start.

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by Darius

Darius — Sun, 13 Nov 2011 18:36:46 +0000

hy, i found and i this program for protecting mac aps with licence , but i have some problems. it’s protect the origina apps and generate the serial key, but when i try the licence it’s doesn’t work, can some one help me with this or can tell me another program that can do the same things ( i don’t know nothing about mac or Reverse Engineering, i just want to protect one program that i share with someone)

Comment on Using OS X TrustedBSD framework to protect critical files by snare

snare — Tue, 01 Nov 2011 06:36:05 +0000

Great idea dude, nice one!

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by fG!

fG! — Sat, 29 Oct 2011 17:35:05 +0000

You need to breakpoint after it’s decrypted. The best way is to breakpoint on entrypoint and follow the code. The anti-debug is called after ptrace address is resolved.

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by xoreaxeax

xoreaxeax — Sat, 29 Oct 2011 15:57:24 +0000

The reason was vmmap gave that dreaded error “Terminating app due to uncaught exception ‘VMUDyld fatal error’”. info mach-regions didnt give a text range either. When doing that is it the loader that is shown or the actual binary decrypted?

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by fG!

fG! — Fri, 28 Oct 2011 14:22:31 +0000

Just check the text section from the mach-regions or use vmmap to do it. As far as I remember the anti-debug tricks can by easily bypassed. You don’t need to do any changes to the binary, it’s all done in memory. That why the protection is (was???) sort of weak in this matter.

Comment on There’s a new protection in town, Software Passport, from the developers of Armadillo :-) by xoreaxeax

xoreaxeax — Fri, 28 Oct 2011 12:18:24 +0000

Hi. I was wondering how you found the dump range from info mach-regions command. Also, did you make changes in the binary to make it load? If so how? Thanks.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Latoolboy8

Latoolboy8 — Sun, 23 Oct 2011 22:40:06 +0000

Thanks it worked like a charm.

Comment on It’s not my war but… by fG!

fG! — Fri, 21 Oct 2011 21:33:46 +0000

Greeks are really dumbasses and other stuff so that wouldn’t be a problem. And don’t worry, I am very critical of my own country

Comment on It’s not my war but… by Billy

Billy — Fri, 21 Oct 2011 18:44:15 +0000

You’re using the word “fag” as a synonym for “dumbass” or “jerk”. It’s the same thing as saying something is “gay” when what you really mean is that it sucks. What if people started calling other people “Greeks” to mean “dumbasses”, and you were Greek? It would be offensive to you.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Karen

Karen — Fri, 21 Oct 2011 01:11:47 +0000

I will verify the same scenario. Forgot my password, tried multiple times to guess without any luck, and then just hit cancel – BINGO! My iPod Touch began synching automatically, restoring all the old applications and other things with no problem. The box to check if you want to encrypt the backup was empty. Believe me, I left it that way this time.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Thu, 20 Oct 2011 10:26:12 +0000

Interesting case! I have to give it a try one of these days. It doesn’t make any sense if you can just restore and password is gone and everything is backup’ed and restored. That would be a security issue

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by DELL

DELL — Thu, 20 Oct 2011 06:50:39 +0000

I got the same problem. Actually, I got wifi problem and so jailbroken again without any backup. Previous backups were encrypted. Password didn’t know. What I did…Select the main backup and try for 10-15 times for retrying password. No luck.
The last time just click over restore and god know…IT DIDNT ASK FOR PASSWORD AND SYNC AUTOMATICALLY. ALSO, THE ENC PASSWORD WAS ALSO DISABLED. Do you think this make sense. I think this incident must be shared to you guys.

Comment on A small rant about dongles: the developer who can’t correctly implement a HASP! by fG!

fG! — Mon, 17 Oct 2011 12:03:29 +0000

The anti-debug checks are called after the import table is resolved. The hasp envelope is still starting when this happens so it’s outside those hasp dongle calls.
The vulnerability here is the bad implementation of hasp from this developer. But the envelop anti-debug is also weak
This is all happening in the new segment implemented by the envelope.

Comment on A small rant about dongles: the developer who can’t correctly implement a HASP! by xoreaxeax

xoreaxeax — Mon, 17 Oct 2011 11:14:07 +0000

A previous version of hasp had the checks in _hasp_logout:, _hasp_decrypt:, _hasp_encrypt:, _hasp_login:, _hasp_get_sessioninfo: and _hasp_update:

Is this the same here or is it the implementation of Hasp within this that is the weak point?

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Sun, 16 Oct 2011 19:18:21 +0000

Yes, it’s a good idea to backup your backup folder in case something goes wrong.
Your strategy only works if it’s possible to restore the old encrypted backups without having to input the password, something that doesn’t make that much sense from a security point of view. I doubt it works like that.
If this is true then your strategy will not work because the only backups you have are encrypted. You need to jailbreak now and use the trick to create unencrypted backups that you can easily restore into iOS 5.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by B

Sun, 16 Oct 2011 17:16:56 +0000

Can I do this: first create a copy of the encrpyted pw-protected backup in the event it gets deleted. Then I have to set the phone back to factory settings (wipping it clean and starting fresh), create a new version of the phone in iTunes with no previous data, then jailbreak 5OS – use your trick described above to get an unencrypted backup file and then restore it back to my current phone (which would be running on 5OS)?

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Sun, 16 Oct 2011 17:03:27 +0000

Jailbreaking should be the easiest and fastest option to solve your problem. Jailbreak it, apply the described trick to get an unencrypted backup and voila, you can upgrade it

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by B

Sun, 16 Oct 2011 16:52:04 +0000

Here’s my situation: I wanted to upgrade to the 5OS on a 3GS phone, however, after I downloaded the upgrade, iTunes asked for my encrypted backup password. I forgot the password essentially. I tried every word/number combination I ever use for my personal stuff to no avail. Been scouring the internet for internet and aside from starting from scratch I dont have many options unless if I jailbreak it and then try your method outlined above. I have tried to download the Elcomsoft program but its going to take 9 days to find the password and my current version of the encrpypted phone/list is not coming up w/the phone information when I go to select it in the program. Some people have said it was their current passcode (4 digit pin) or an old one when they reset to factory setting but I find that hard to believe. Do have any other options on getting my data back until I remember what the lost password is?

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by fG!

fG! — Sun, 16 Oct 2011 14:49:32 +0000

Yes in your scenario you will need to crack your backups password.
Elcomsoft (http://www.elcomsoft.com/) has such product but I think it’s only available to Governments entities or it’s damn expensive.

I assume that the restore will require you to introduce the backups password, correct? If it doesn’t require you can try to restore and then use this trick to try to regain access.

Comment on How-to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it by Justin

Justin — Sun, 16 Oct 2011 14:06:40 +0000

Hey, if I’m reading this correctly, this is helpful only if you haven’t already gone and erased your phone, upgrading it before remembering that you had encrypted your backups and have no idea what the password is, correct? If my phone is now factory reset and empty, and I have a bunch of backups sitting on my computer, encrypted with a password I can’t remember, I don’t have many options, right?

Comment on How-to make an iPad connect thru a ssh SOCKS proxy + iOS “spyware” by fG!

fG! — Thu, 13 Oct 2011 13:03:36 +0000

Flurry and other analytics use a variety of hosts to upload their data so you would need to keep blocking them.
The privacy app available on Cydia repo seems to be outdated and not working. You can try to write something like it using MobileSubstrate or any other injection library (comex has one if I am not mistaken).
That is a better solution since these libraries are loaded into every app.
This also seems to be interesting: http://www.nesolabs.de/en/software/gorilla/

It really sucks that Apple doesn’t provide fine grained controls over this. This is one thing I really don’t like about iOS.

Comment on How-to make an iPad connect thru a ssh SOCKS proxy + iOS “spyware” by Harianto

Harianto — Thu, 13 Oct 2011 10:41:27 +0000

Hey fG,

I’ve read the last paragraph about flurry.com and their spyware. I was wondering if blocking flurry.com in the hosts-file will be enough to hideMyAss? Maybe I should restrict file permission only to read and clearing al the data inside… on every app
Now I’ve seeing a lot of flurry files in every app and makes me kind of paranoid about my privacy.

Regards.

Comment on Poking around Sentinel HASP Envelope for Mac OS X :-) by Adrián

Adrián — Thu, 13 Oct 2011 07:22:07 +0000

You should write a post (or several) explaining all antidebugging tricks you know on Mac OS X. That would be funny and educational

Comment on Defeating Little Snitch and thinking about piracy… by fG!

fG! — Wed, 12 Oct 2011 10:37:37 +0000

Thanks

Little Snitch is pretty advanced and has a well thought protection system.
To play around with gdb you need to bypass the KAUTH framework. One way is to patch the kernel