How to build a custom and distributable lldb

Almost two years ago (when covid was just starting and we all happily ignored it) I wrote a post about implementing x86 hardware breakpoints in lldb. This critical debugger feature was missing from lldb. Probably because lldb main users are developers and not serious reverse engineers (lol!) dealing with malicious code and/or just reversing/cracking hostile software protections (cracking is the best and most fun RE target practice).

The build process described in that post worked but I wasn’t very happy with it - not easily portable between macOS systems. Some time ago I tried to fix it but I gave up since I wasn’t in the mood to deal with build systems problems.

[Read More]

How to use GitHub Actions and private repositories to deploy a Hugo static site

For quite some time I have wanted to build a site where I could share links to the stuff I read online. There must be already plenty of sites to solve this but none satisfies my main requisite: to be under my full control. I rather do all the work myself than giving up control to a third-party that can lock me down for any reason (Twitter for example). It’s a price that I am willing to pay.

One of the main obstacles to build the site was that I needed to add/edit information from my desktop and tablet. I am definitely not a cloud fan so using it to sync between devices was out of question (people do it with Evernote, etc). For a while I thought about developing a mobile or web application to achieve this but was too lazy for that.

Last weekend the right idea popped in my mind (I think I was reading something about the topic). I could use GitHub to store the data that I need to edit between devices, and GitHub actions to automate the build process. GitHub allows unlimited private repositories to free users, and the data to store there isn’t critical. I would always have a local copy and if GitHub bans me the impact is meaningless - they are just an intermediary and both ends are controlled by me.

[Read More]

Blog Update

Lately I have been working on a new blog post about running macOS on Ryzen via KVM/QEMU. There was a need to change some blog code and because my theme fork is two years or so outdated, I decided last night to dive deep into updating and fixing it.

[Read More]

FruitFly's dropper script and its missing tricks

Note to original post:
This post was originally written back in May 2019 but was removed because of “pressure” from my employer at the time, Apple. It was written over the weekend on my own equipment and was all about information I had way before I joined Apple. Personally I don’t think there is any special drama here other than unreleased technical details about a malware that is dead and its author busted long time ago. When paranoia and envy are dominant then everything can be a potential media drama in people’s mind. It’s all bullshit. My position didn’t change and given that there is an upcoming presentation about this malware by Thomas Reed at Objective By The Sea it’s time to re-release this.

While sorting out my Mac malware collection I found out that I had an unreleased (no known public references) FruitFly/Quimitchin dropper script lost in my archives.

FruitFly made big headlines two years ago and its author has been arrested. It was first reported by MalwareBytes and then a new variant was analysed by Patrick Wardle. Besides being under the radar for more than a decade, it was kind of exotic malware because most of its code was written in Perl. Last time I did something serious in Perl was twenty years ago or so!

[Read More]

Why I Left Twitter

Because I can :-)

I was going to write a longer post about this but it is pretty much irrelevant. Essentially I have been thinking about this over the past weeks given that my character might be somewhat incompatible with what I want to achieve next. Sunday I got locked out of Twitter because some random asshole made an harassment complaint because I called him “dumb fuck” and “dumb idiot”, pretty normal things around my feed.

[Read More]

How to make LLDB a real debugger

These days the de facto debugger in macOS is LLDB. Apple’s old gdb fork doesn’t work anymore and the GNU gdb version is better these days but still quite meh (in the past it couldn’t deal with fat binary targets and I still think this holds true). So we are all essentially stuck with LLDB, warts and all. I also hate the lack of a gdbinit style output but Deroko started that project and I improved it with lldbinit.

Besides its horrible long command line syntax which is so unpopular that gdb-compatible commands were introduced, my biggest problem with it has been the lack of x86 hardware breakpoint support. While hardware breakpoints might not be needed to debug applications within Xcode, they are essential to any serious reverse engineer dealing with arbitrary untrusted targets such as malware, packers, obfuscators, and DRM. It has been a serious blocker for me against some targets and a source of immense frustration because it should be a basic debugger feature.

Last week I finally got fed up enough to dive into the LLDB C++ codebase and finally try to implement this feature. Instead of just posting a patch, this post is a journey into LLDB internals and how I implemented this feature. Hopefully it will help others exploring the LLDB codebase, which seems unfriendly because of the lack of really good documentation into its architecture. Maybe this could lead to further improvements and make LLDB more reverse engineer friendly.

[Read More]

Crafting an EFI Emulator and Interactive Debugger

In 2016 I reversed Apple’s EFI firmware password reset scheme using SCBO files. There was an old rumor that these files were able to unlock firmware password locked Macs (and even a sketchy video about a universal SCBO able to unlock any Mac). That post is available at Apple EFI firmware passwords and the SCBO myth.

All the interesting computing action happened at the EFI execution level. I made good reversing progress with static analysis, but dynamic analysis with a debugger would make the job much easier. I love debuggers because they allow you to quickly test ideas and cut corners while reversing a target. Reading disassembly listings for long periods is tiring. (U)EFI debuggers can be found in the market but they are usually quite expensive (a couple thousand USD).

My solution was to create an emulator and debugger based on Unicorn. At the time I was working a lot with Unicorn so it was natural to use it to solve this problem (“if all you have is a hammer, everything looks like a nail”). After I wrote the blogpost some people directed me to some emulators (TianoCore EmulatorPkg and efiperun). I never tried them to see if they contained an interactive debugger like I wanted. The pain wasn’t big since this was a couple of days project and it was quite fun to write.

[Read More]

Keygenning Carbon Copy Cloner Keychain Password

Passwords are a modern annoyance and their diversity is something you can’t avoid if you want a minimum amount of account security (don’t forget to turn on those 2FA options, avoiding SMS versions if possible). They get more annoying when you set a super smart new password with that smug feeling that it is such a great password that you will never forget about it (or something crappy you set in a rush). Usually you can’t remember it already in the next day or in the next week, since in a month it is totally wiped out from your memory.

This time my victim was Carbon Copy Cloner (CCC). When you generate a backup you can select an encrypted sparse bundle (disk image) as destination, and save its password in the application private keychain.

[Read More]