Extended attributes in Mac OS X and Remote Buddy

I started working on Remote Buddy (http://www.iospirit.com) to test my module Onyx The Black Cat.
Some encrypted files are stored in the hard disk (fs_usage is your friend) but even after deleting all of them, the program still had expired trial. GDB to the rescue!

After finding the correct “entrypoint” (I call entrypoint to the correct address which helps you starting to understand or find what you are interested in) and reading lots of code (the code is “unoptimized”, probably to make our reversing job boring) I finally found the interesting call, getxattr. I didn’t paid much attention to this call in the middle of so many others on fs_usage.

From getxattr man page:
“Extended attributes extend the basic attributes of files and directories in the file system. They are stored as name:data pairs associated with file system objects (files, directories, symlinks, etc).”

Remote Buddy is storing encrypted meta data information at your home directory (/Users/username)! I knew this trick from rootkits but was kinda surprised to see it used here (a trick which makes sense in copy protection context).

Since there is no native Mac OS X utility to read or write these attributes, I started searching for one, but the interesting one (exttra.zip) was no longer available. Since there is a perl module to read extended attributes I started coding my own util to read and write the extended attributes.

It is available here: xattr.pl.v0.2.tgz

Update to version 0.3 here: xattr.pl.v0.3.tgz
Added support to remove attributes and some small fixes.

Diegus83 directed me to Rixstep website, which has a similar util (and a lot more!).

I’m still working on reversing Remote Buddy so when it’s finished it will feature more details about this. If you want to reverse it yourself, the fun starts at [CopyCore init]. Don’t be afraid of all those _rand. Just skip them. Ah, Onyx the Black cat module will be very useful here, else you will need to patch some calls 😉.