There’s a new protection in town, Software Passport, from the developers of Armadillo :-)

A reader sent me the link for a new software protection package called Software Passport (here). This is from The Silicons Realms, the makers of Armadillo for Windows. Since I’m as curious as cats, I started giving a quick look on it, to see if it has any interesting things related to anti-debugging and anti-disassembly.

The good news is that there are some new tricks that I haven’t seen before, for example, gdb can’t trace the initial loader. I haven’t explored this yet so I don’t know how it’s being done. When I approach a target, I prefer to understand the general pattern of things instead going immediatly to understand every single obstacle that appears.
The bad news is that the packed/encrypted/whatever binary is easy to dump and recover, allowing to disassemble and poking at the real binary. I was interested in finding the registration routine (I’m playing with the protector itself) but it’s not so straightforward. Anyway, the following screenshot shows that’s easy to dump the binary and modify stuff. It’s still too early and too much left to explore but I have a feeling that this protection needs more work πŸ˜‰

Have fun,
fG!

modified about box

23 thoughts on “There’s a new protection in town, Software Passport, from the developers of Armadillo :-)

    1. The headers tells it has 2 load commands but only one is shown (oops my bad, I was just looking at LC_UNIXTHREAD, duh!). IDA 6 has problems disassembling the binary while IDA 5.x does it.
      If you find it first feel free to leave a comment πŸ™‚ I’m more interessed in understanding these tricks than breaking the protection itself hehehe.

      Ok the answer seems to lie in that link you sent (I had already knew it and used for other stuff). Strange thing that I don’t remember ever trying to debug that tiny executable πŸ™‚ Gdb can’t do it for the same reason that otool can’t, there’s no __text section! Most probably this is the main reason for gdb unable to breakpoint. Thanks for the idea, I wasn’t paying attention to it hehehehe

  1. Can you talk about the detail of unpacking this?

    Like you said otx can’t dump it nor gdb can load it. Ofc i can attach it after it exec but will not know where the app start to unpack. I can load it to IDA but got no experience on unpacking. I found where it checks the binary (“Error! Checksum is bad: %08X should be “…), but donno how can i set break point at make it stops on app startup.

    Can you give me some help? (Or at least, some hint)

    Thank you.

    1. You can use the old int3 trick. Replace some byte with int3 (0xCC) and gdb will break. The entrypoint is usually a good target πŸ™‚
      You will need to (manually) restore the original byte and put EIP into the original location (this is what a debugger does automatically in a soft breakpoint). This should land you into another gdb bug, because gdb will not allow you to change EIP. The fix is the following patch: https://bugzilla.redhat.com/attachment.cgi?id=313103&action=diff (I tried this one and it appears to work). I’m adding this patch to my patch collection and will release it later today.
      The trick that I used was attaching to the process, and issuing a “info mach-regions”. There was someone asking for this command the other day and I tried it (talk about luck ehhehe). This will give you a lot of information so you need to think a little about how you know what is the right location to dump (hint for a possible way: headers ;-)). Give it a try and see what you can do.

      1. OK, I play around with it but still can’t get the correct dump range.

        I dump part of the memory from what I got in β€œinfo mach-regions”, the dumped binary can be read by otool/otx now, but it crashes when i try to run it. (the closest time is the app opened but with can’t open document error)

        Maybe some more hints? πŸ˜›

        1. Yes because dumped (Cocoa) programs miss some information. That’s the reason for the documents errors. You need to fix that (I never explored that in deep) or there are better ways πŸ™‚

  2. Too bad there’s nothing like ImpRec for mac… Messed around with dumping this earlier but haven’t gotten it to work yet. Tried manually rebuilding the header but there are definitely problems with a section or two. Section 5 on my dump seems to have issues, and I think the document error has something to do with problems in the __OBJC segment. fG!, any chance you could give us a push in the right direction for the “better way” to approach dumping the binary?

    1. I don’t know how to fix it (I was exploring that some time ago but stopped half-way thru). You are right in pointing out that OBJC segment. When the binary is loaded, some stuff is resolved and there are differences between the original binary and the dump. Probably a good idea to reverse XVX dumper and understand how they did it hehehe

  3. Hi. I was wondering how you found the dump range from info mach-regions command. Also, did you make changes in the binary to make it load? If so how? Thanks.

    1. Just check the text section from the mach-regions or use vmmap to do it. As far as I remember the anti-debug tricks can by easily bypassed. You don’t need to do any changes to the binary, it’s all done in memory. That why the protection is (was???) sort of weak in this matter.

  4. The reason was vmmap gave that dreaded error “Terminating app due to uncaught exception ‘VMUDyld fatal error'”. info mach-regions didnt give a text range either. When doing that is it the loader that is shown or the actual binary decrypted?

    1. You need to breakpoint after it’s decrypted. The best way is to breakpoint on entrypoint and follow the code. The anti-debug is called after ptrace address is resolved.

  5. hy, i found and i this program for protecting mac aps with licence , but i have some problems. it’s protect the origina apps and generate the serial key, but when i try the licence it’s doesn’t work, can some one help me with this or can tell me another program that can do the same things ( i don’t know nothing about mac or Reverse Engineering, i just want to protect one program that i share with someone)

  6. the problem is that i protected the apps with licence version of softwarepassport
    and now has expired and when i ‘m trying licence generated with trial version don’t work allways

  7. now i can generate licence that works but it’s show a messahe that say’s that the program was made with a trial version, can you modify the program to not show the notification screen about the trial version ,

  8. maybe if you tell me how to crack, i will, but explain as for a little children, i use mac only from 3 months, just for design, and maybe i will learn to crack it who knows πŸ™‚

    1. Sorry I can’t help you to crack it. You have lots of information available here and at other sites to help you learn and solve your “problem”.

Leave a Reply

Your email address will not be published. Required fields are marked *