From the department of useless stuff comes a simple trick…
A few days ago, a reader sent me an email asking about obfuscated code, in what appeared to be Apple’s binary protection. I already knew this Amit Singh article, but never played with it. Since I’m very curious (I love cats but Onyx still doesn’t like me very much) and I’m messing around with dumping, I decided to give it a try. This Pedram Amini article is about iPhone apps but I was pretty sure the same technique would work for OS X (to be honest, last week I was playing with something else and already applied this technique with sucess).
To cut the crap and show some juice, the needed steps are:
1) Load the app into gdb (or attach to the already running process). Just let the app load and then break into gdb with control-c (if you are starting from gdb).
2) Check with vmmap the memory region for the __TEXT segment for the program you want to dump.
3) Dump that memory region to a file using gdb “dump memory” command.
4) Write the memory dump into the original file (you must replace the original __TEXT segment with the dumped one). You can use copy&paste inside an hex editor (that’s what I did), or you can use Pedram trick with “dd” (that’s what I should have done, DOH). Don’t forget to calculate the correct offset for the __TEXT segment (beware with fat binaries). My first approach was to dump the whole program, when in reality only the __TEXT segment is required. Hey, it was a quick test and I give it a little thought while getting ready to write this :).
5) Fix the flags for LC_SEGMENT/__TEXT from 0x8 to 0x0 (else it will still try to decrypt the binary and the result will be garbage and a nice crash).
6) That’s it :).
Now you can do whatever you want to the program code. It shouldn’t be very hard to code a program to automatically dump and fix the binary. You can use the mach interface to attach and dump the memory region you want, and then replace and fix the original binary. There is some sample code around (I think by Nemo), and I have some tests somewhere at my disk. Can’t find the damn code at the moment. That’s what I get for having too much stuff and still can’t organize all of it. Maybe I will try to code such tool.
If you have any questions feel free to leave a comment or mail me (comments are prefered since everyone can share information). I think it’s pretty easy to do this trick, not rocket science ! The curious detail is that the reader’s program is not from Apple. I don’t know how they managed to have it crypted or how the binaries are signed. Didn’t bothered yet to understand the process. Do you know something about it ? 🙂
Update: This is how we can create Apple crypted binaries, http://osxbook.com/book/bonus/chapter7/tpmdrmmyth/ . Mystery solved 🙂