PTHPasteboard 4.4.0! Generic Mac OS X protector is found?

Beowulf pointed out to PTHPasteboard application protection looked very similar to You Control Desktops. This got me curious and so I started messing around with it.

Facts:

  • License file isn’t crypted like You Control Desktops
  • Binaries don’t have integrity checks like You Control Desktops
  • public.pem has a checksum like You Control Desktops (SHA1 is used)
  • Function names are obfuscated like You Control Desktop
  • Demo is requested via web, altough HTTPS is used instead HTTP
  • Like You Control Desktops, there is a binary named Common

Since protection is very similar we can try to conclude about the existence of a generic protector! Need to find it’s name 😄.

You Control Desktops tutorial can be used to beat PTHPasteboard protection. You will need to use the sections about ptrace protection and replacing public/private keys.

To create the keygen we need to find what data is being used to create the checksum located at licence file. Since protections are very similar I used a bit of zen-cracking and searched for EVP_VerifyFinal at the PTHCommon binary. There are a few hits but the most interesting one is located at 0x3001eaf4 with a call to a function named PEM_read_bio_RSAPublicKey (this is very similar to You Control, so I assumed I’m in the right spot). If we go back a few lines, we can find a call to EVP_DigestUpdate at 0x3001ea46. We are interested to know what information is going to be digested so breakpoint at 0x3001ea39 and dump the ESI register.

We will get something like:

gdb $ x/s $edi
0xbfffe233:      "Pasteboard.4.XXXXXXXXXXXX.YYYYYYYYYYYY.2008-01-01T00:00:00Z"

Where XXX is the MAC address and YYY the serial number.

Since there are no more DigestUpdates, we can assume this is the only information being hashed into the checksum. Now we can create the keygen 😃.
To get all this, launch the PTHPasteboard program and attach GDB to it (after patching all those ptrace calls). Then just try to use any of the PRO features and GDB will hit (after breakpoints are set!).

The only detail missing is about the public key format. If you check OpenSSL documentation, you will see that function PEM_read_bio_RSAPublicKey uses public key in PKCS#1 format. If you follow You Control tutorial you will get a X509 public key format. I tried to have OpenSSL to generate the public key in PKCS#1 format but that seems impossible. The following link http://marc.info/?l=openssl-users&m=96497982824757&w=2 refers to someone with the same problem. I downloaded the latest version of OpenSSL, modified apps/genrsa.c and added the code referenced in that link after the PEM_write_bio_RSAPrivateKey if code. Compiled OpenSSL and then used this modified version to get the PKCS#1 public key. Replace the original public.pem file with this new public key and change the signatures following You Control Tutorial.

Keygen source is available: keygen-pth.working.c

PTHPasteboard website is http://pth.com/products/pthpasteboard/

If you understand You Control Desktops tutorial you should be able to successfully beat this one with the tips I gave.

Have fun!

P.S.:
The public.pem to be replaced is located at: ~/Library/PreferencePanes/PTHPasteboard.prefPane/Contents/Resources/PTHPasteboard.app/Contents/Resources

Update:
This will only work on Tiger because the binaries are protected by the new code signing feature of Leopard. It’s a bit stupid having checksum protection on Leopard and none for Tiger, since it runs on both! One more reason to install Leopard 😄. Thanks to Beowulf for having found this difference.