Here it is, another example of my super l33t lame coding skills ! This wonder code will decrypt an Apple crypted binary via memory dumping. Maybe direct decryption (based on Amit Singh code) would be easier and nicer, but I wanted to do it this way as a test and an exercise. The code has a lot of comments that should help you understand what is being done.
Basically the trick is to load the binary and attach ptrace to it, and then dump using mach vm_read function. Mach-o header needs to be processed to find what to dump ! There is no problem with ptrace anti-debugging because PT_TRACE_ME stops the program before any instruction is executed and in that stage the program is already decrypted (way to go Apple!). I had to use ptrace because I couldn’t find a way to have Mach task_suspend to do the same job. If you know how, please tell me 🙂
My first version attached to a selected PID but this one is much nicer. I will clean the code for that version and add it later.
And that’s it ! This is more an exercise for future dumpers although there is some software using this “protection” (hint: Linkinus). If you want to play with it, you can use Amit Singh’s cryptor that is linked in the previous post.
If you find any bugs or have any improvement feel free to leave a comment or mail me. You are welcome 🙂
I have no idea if it’s working with PPC code. It should but I only have i386.
And now the tool: dumpme_ptrace.c (SHA1(dumpme_ptrace.c)= 36231d436b0fd09c68fd729ccd34fcec887700a9)
Here it is the PID version and a slightly improved ptrace version (more checks and a openssl style for input/output files).
dumpme_ptracev1.1.c SHA1(dumpme_ptracev1.1.c)= 7e441d9277e00f1c6570001305921820a4985468
dumpme.c SHA1(dumpme.c)= f3d353f532219efcfcfa87affb3b8474d7ff7e66
Minor fixes. Per Jez suggestion (thanks!), vm_read dynamically allocates an array of bytes (next time I must RTFM!) and vm_deallocate should be used after we don’t need those bytes.
Nothing like learning how to do things correctly 🙂
dumpme_ptracev1.2.c SHA1(dumpme_ptracev1.2.c)= a7d35cf7ff8705b1da91c36aa9309a66079c0d91
dumpmev1.1.c SHA1(dumpmev1.1.c)= e1aba84eeae70663dc3580165d867e96c0770254