I am a sucker for all OS X anti-debug promises I can find. There are so few tricks available that I am always curious to see if there is something new in town. So I started poking around Sentinel HASP Envelope for OS X to see what they use to fool my dear debuggers.
Well, we have the usual ptrace and sysctl tricks, a check for a kernel debugger (via kernel boot arguments), and, to my (good) surprise, one of the anti-debug tricks I discovered a few months ago. I will not tell you what is it so you can have some fun with it.
There is also an import table built on the fly, with symbol strings & other strings being encrypted (GDB info symbol address command is useful here). And some functions where IDA disassembly fails, totally out of sync. This is where I am at the moment.
In theory I shouldn’t be able to progress much more because the unpacking will require a dongle plugged in, which is something I don’t have. I will just try to disassemble those messed up functions.
Has anyone else picked up on this one? Are there any more interesting things to look at here?
Don’t worry Aladdin, I will not publish any details regarding this.
You can download the Sentinel CD from Aladdin website, containing all tools for Windows, Linux and OS X. The program that creates the envelope is located in VendorTools folder. Btw, the enveloped program seems to be around 10 times bigger than the original size. I am glad storage is cheap these days.
Have fun,
fG!