From the department of useless stuff comes a simple trick… A few days ago, a reader sent me an email asking about obfuscated code, in what appeared to be Apple’s binary protection. I already knew this Amit Singh article, but never played with it. Since I’m very curious (I love cats but Onyx still doesn’t like me very much) and I’m messing around with dumping, I decided to give it a try....
A few months ago while discussing with some user about code signing (PTHPasteboard project), I had the idea to “revirgin” the code signed binary by removing the Mach-O LC_CODE_SIGNATURE command. As usual with my many ideas, I never explored that one, until today when I received an email asking about this idea. I decided to give it a try. My code is a simple Hello world, compiled for i386 only. After binary is compiled, I sign it with my test certificate and mark the process to be killed if code signing fails....
While cleaning my hard disk I have found a zip file with a few old Mac OS X cracking tuts. Most are for PPC but they are still useful for learning reversing techniques. Grab it here: tuts.zip (SHA1(tuts.zip)= 3a0e1729e811deb7b7e8e19e0d6a61c9e3831b84) My free time is almost zero since GMAT study is taking every second I have (well, Afro Samurai/The Godfather 2 are taking something too). A score higher than 700 is not an easy task....
I have managed to bypass Little Snitch 3 hour limit with a one or two bytes patch (can’t remember and too lazy to check it now) three days after I had access to kernel debugging. A very well designed protection (at least it’s a pain to analyse) was defeated because there was a weak element (there is always at least one weak element) and I easily found it. I have emailed OBDev about this and asked if they would allow me to publish details....
Just look at this: I just got Little Snitch to keep working even with network filter being off (that should be equivalent to expired 3 hour trial). The game is still not over because only the Once button is working but it seems I have my entry point 😄. Little Snitch works by using a socket filter (Apple document here) installed when kernel module starts (Correction: Little Snitch kernel module is an IOKit driver and not a simple kernel extension)....