Reverse Engineering Mac OS X

For a long time I have been annoyed by the information displayed by otool -l because it mixes hexadecimal with decimal information. For example, offsets are displayed in decimal and relative to the cpu architecture in the fat binary. So I had to convert and calculate things by hand everytime I wanted to peek or modify something at the hex editor. HT allows to see this information and even edit it, but it doesn’t support fat binaries (and I have to start it under iTerm to support the keyboard shortcuts – I didn’t want to waste time researching to get it to work with Terminal.app).
Then a reader sent me a new protection (a packer) and I started having some fun with it and again I needed a tool to display all the offsets so I could try some crazy approach to the target. Since I’m on short vacations from the MBA and I miss the adrenalin of having all my time occupied I rewrote otool -l option in Perl (yeah lots of free time to reinvent the wheel and learn something ehehheh). So ptool.pl is born ! It will process x86, x86_64 and ppc binaries and dump all the information from the mach-o header, together with the correct offset location inside the binary. This way it is very easy to navigate inside the hex editor.
I’m thinking about converting it into a full mach-o editor using Perl+ncurses. I would love to have a nice GUI in Cocoa but I don’t have time to mess with Objective-C for now (and I suck at object-oriented languages, more than the other languages ). I’m thinking too to modify otool and fix that damn display and add some other features, like disassembling any chosen offset of the binary file (it’s helpful some times and it would remove the need for an external disassembler like this one – my idea is to integrate it into otool or use otool own disassembler). It will depend on time and motivation. I can’t reverse the protection if I take all the time to write and fix tools.

So here it is version 1.0 of ptool:
ptool1.0.zip (SHA1(ptool1.0.zip)= be754c87fcfbd4ee43d47aeba197a1f20c81e296)

If you find any bug or have any suggestion feel free to leave a comment or email.

Btw, the target protection is called VLOK and is available here (updates are protected so you can use them as targets). I’m not thinking about publishing full details and code but a general analysis and description of the tricks and its design. I still believe in full disclosure but the legal and business sides are more complex and the world isn’t always as we want (all that and a 500 pages book on Business Ethics that I had to read for an exam ). And what’s the fun of having everything cooked for you ? If you want to learn you have to think and practice !

Have fun!
fG!

Update: If you want to recompile otool you need to follow the gdb guide and then do the following:

• Package name is cctools
• First use darwinbuild -nochroot cctools
• Compilation should fail with some include errors
• Edit the following files:
• Build10C540/BuildRoot/SourceCache/cctools/cctools-750/Makefile, search for -DTRIE_SUPPORT and remove it (you can leave echo “”)
• Build10C540/BuildRoot/SourceCache/cctools/cctools-750/misc/Makefile and remove the options for LTO and TRIE
• Build10C540/BuildRoot/SourceCache/cctools/cctools-750/libstuff/Makefile and remove the options for LTO
• Recompile again, this time with darwinbuild -nochroot -nosource cctools
• Wait and enjoy the recompiled otool. Now you can modify its source code
• Otool seems to work fine without those includes so hell with them !

November was a pretty busy month with exams and assignments to be delivered. I have been having a lot of fun with the MBA since analysing financial statements is some kind of reverse engineering and I missed Economics stuff (I do have a undergraduate degree in Economics). I really like to go outside the box for some time to gain new perspectives.

Since the 1st term is finished, I decided to finally upgrade to Snow Leopard. I was waiting to upgrade my MacBook to a WD Scorpio Black harddisk but I couldn’t buy it for the past 2 months so I decided to buy a Seagate Momentus 7200.4 and I can tell you it’s fantastic ! You really see the difference from a 5400rpm to a 7200rpm harddisk in a a laptop, and Snow Leopard is a great upgrade too. So with a new operating system it’s time to migrate everything and setup the reverse engineering environment and tools.

Following this, I just upgraded the gdb compile tutorial to support Snow Leopard. It’s available here. I made some things more explicit and explain how to solve a problem with libiconv. The next thing is to find how to have gdbinit to support the 64bit registers in a single file.

That’s it for now. Things are quieter for now, but not dead ! So, I wish you a happy new year ! Have fun in 2010 !!!

fG!

Things have been very quiet since the beginning of September… Well my MBA has started and my free time until now has been ZERO ! It has been a fun but very busy ride and comeback to the world of economics. The first weeks are recruit like, pretty intensive with many assignments to be delivered. The recruit is now over and I should have more free time for playing again with reversing

I just finished a small update to gdbinit. There were some bugs at the function that signaled conditional jumps so I revised it and everything should be fine now. The other thing that I have added was support for 8 and 16 bit versions of EAX,EBX,ECX and EDX registers. I don’t know why but gdb doesn’t have them and as usual I like to make things easier. So you can just use print or x/x to display $ax,$bx,$cx,$dx and $ah,$al, etc etc etc.

The next thing to update is Onyx for Snow Leopard. I just gave a very quick look at Snow Leopard source and at least proc structure is modified (some small additions). I have to check if the trick still works.

Well that should be everything for now… Gotta get back to my readings (well at least this one is about Information Systems!)

Have fun!
fG!

gdbinit72 (SHA1(gdbinit72)= cbd9c528e1730978563be2c26e2cd79d2ccdc925)

Here you have the patches I did for gdb:

• To fix problem with gdbinit
• To display raw bytes in x/i and disassemble commands
• To warn about possible number of sections anti-debug trick

You can download a single patch for all changes or one for each individual change. A patched gdb binary for Intel only is available, if you trust my binaries (copy to /usr/libexec/gdb). PHP max upload size doesn’t let me add the patched source package (can’t change it due to it’s impact on others).

I have removed symbolic name printing from the x/i command because I couldn’t find an easy workaround to have all the output aligned. Gdb table system has problems and it doesn’t work well with large columns. Nevertheless the symbolic name (when available) is printed everytime breakpoint is hit and if you really need it, you can use the disassemble command to see where you are (not removed there).

The anti-debug patch just warns about the possible trick. Unless dyld bug is fixed there’s no much interest in automatically fixing the headers. If you want to test it, you can use HT Editor (hte.sourceforge.net) to easily modify the nsects. Keep in mind that HTE only supports non-fat binaries!

This is how it looks:

Have fun,
fG!

Files:
all_patches.patch SHA1(all_patches.patch)= 74ee59cc213202d2d99c11ca8cde841890a7c7b6
number_sects_anti_debug.patch SHA1(number_sects_anti_debug.patch)= 628498adc71b91447ba8860cec3829acf0eb7f46
gdbinit_problem.patch SHA1(gdbinit_problem.patch)= efd8ab19d2675d601f02aa7f3b7ca21a9bee7704
show_raw_bytes.patch SHA1(show_raw_bytes.patch)= 6ba57a401c1d3c0f6d7b31743da79ec63603752e
gdb-i386-apple-darwin.bz2 SHA1(gdb-i386-apple-darwin.bz2)= 4ce058eb26639bba0ab9974ace27adeeef446905

If you put the patch inside gdb-768 dir you might want to use -p2 option for patch (the diffs came out of my hg repository).