A memory dumper for Apple crypted binaries ! Hurray !!!

Here it is, another example of my super l33t lame coding skills ! This wonder code will decrypt an Apple crypted binary via memory dumping. Maybe direct decryption (based on Amit Singh code) would be easier and nicer, but I wanted to do it this way as a test and an exercise. The code has a lot of comments that should help you understand what is being done.

Basically the trick is to load the binary and attach ptrace to it, and then dump using mach vm_read function. Mach-o header needs to be processed to find what to dump ! There is no problem with ptrace anti-debugging because PT_TRACE_ME stops the program before any instruction is executed and in that stage the program is already decrypted (way to go Apple!). I had to use ptrace because I couldn’t find a way to have Mach task_suspend to do the same job. If you know how, please tell me 🙂

My first version attached to a selected PID but this one is much nicer. I will clean the code for that version and add it later.

And that’s it ! This is more an exercise for future dumpers although there is some software using this “protection” (hint: Linkinus). If you want to play with it, you can use Amit Singh’s cryptor that is linked in the previous post.

If you find any bugs or have any improvement feel free to leave a comment or mail me. You are welcome 🙂
I have no idea if it’s working with PPC code. It should but I only have i386.

Have fun!
fG!

And now the tool: dumpme_ptrace.c (SHA1(dumpme_ptrace.c)= 36231d436b0fd09c68fd729ccd34fcec887700a9)

Update:

Here it is the PID version and a slightly improved ptrace version (more checks and a openssl style for input/output files).

dumpme_ptracev1.1.c SHA1(dumpme_ptracev1.1.c)= 7e441d9277e00f1c6570001305921820a4985468

dumpme.c SHA1(dumpme.c)= f3d353f532219efcfcfa87affb3b8474d7ff7e66

Update 2:

Minor fixes. Per Jez suggestion (thanks!), vm_read dynamically allocates an array of bytes (next time I must RTFM!) and vm_deallocate should be used after we don’t need those bytes.
Nothing like learning how to do things correctly 🙂

dumpme_ptracev1.2.c SHA1(dumpme_ptracev1.2.c)= a7d35cf7ff8705b1da91c36aa9309a66079c0d91

dumpmev1.1.c SHA1(dumpmev1.1.c)= e1aba84eeae70663dc3580165d867e96c0770254

7 thoughts on “A memory dumper for Apple crypted binaries ! Hurray !!!

    1. Hello,

      This dumper is specific for apple crypted binaries (the ones refered in the previous article links). Syncrosoft should be totally different because you can’t have a single dump, but multiple dumps.
      It’s more an exercise than anything else. The next one is to dump objective-c binaries, which need some fixing before they are able to run.

      fG!

  1. Hallo fG,

    i just want to thank you for this blog. The information you provide were a big help for me, as I’m just a beginner (and no native english writer btw :>).
    OT: It’s a pity, that there are no crackmes available for osx – this would be a very intresting project. I would love to write some simple ones, but I’m unfortunatly not yet experienced enough for the tough stuff.
    Keep up the good work!

    Regards,
    hans

    p.s.: I was to lazy to write a mail, so I missused the possibility to comment – sorry for that.

    1. Hello,

      http://www.macserialjunkie.com/ just had a cracking contest with 5 crackmes (easy ones). You can go there and grab them. I will one of these days pack them and post here, maybe with tutorials for each one.

      No problems with the comments, site is open to everything hehehe 🙂

      Take care,
      fG!

  2. What toolchain did you use to build this? I am trying to build this on device but apparently I dont have a toolchain that allows for teask_for_pid calls, says its obsolete.. im wondering if i switch toolchains if I can get this running..

    1. This code is for OS X not iOS. XCode/gcc should be able to compile it fine in OS X.
      I don’t know much about how to compile this into jailbroken iOS devices. Last time I checked it was a messy process 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *