Mac Reversing

I started working on Remote Buddy (http://www.iospirit.com) to test my module Onyx The Black Cat. Some encrypted files are stored in the hard disk (fs_usage is your friend) but even after deleting all of them, the program still had expired trial. GDB to the rescue! After finding the correct “entrypoint” (I call entrypoint to the correct address which helps you starting to understand or find what you are interested in) and reading lots of code (the code is “unoptimized”, probably to make our reversing job boring) I finally found the interesting call, getxattr....

Here it is my crazy idea to create an anti anti-debug kernel module so reversing efforts get a little easier and faster against “hostile” code. This module will protect you against the classic PT_DENY_ATTACH trick and the sysctl debugger detection trick http://developer.apple.com/qa/qa2004/qa1361.html. For now it’s only compatible with Mac OS X Tiger v10.4.11. Soon I will make it compatible with Leopard. Grab the binaries here: onyx-the-black-cat.kext.v0.1.tgz. This is a small program to test the sysctl trick: antidebug....

Beowulf pointed out to PTHPasteboard application protection looked very similar to You Control Desktops. This got me curious and so I started messing around with it. Facts: License file isn’t crypted like You Control Desktops Binaries don’t have integrity checks like You Control Desktops public.pem has a checksum like You Control Desktops (SHA1 is used) Function names are obfuscated like You Control Desktop Demo is requested via web, altough HTTPS is used instead HTTP Like You Control Desktops, there is a binary named Common Since protection is very similar we can try to conclude about the existence of a generic protector!...

Little Snitch is an awesome target to learn tons of stuff about Mac OS X. It’s a very worthy challenge and I’m loving it… I gave up on it for a while to read some stuff about IPC and mach messaging since I have strong clues it’s being used for Little Snitch components communication. Little Snitch uses threads and other stuff to make reversing much harder. One of my various reversing threads was to try to beat the 3 hour limit but I couldn’t find a good entry point to start tracing the network filter initialization....

Nozio NO CD patch is only for original version (1.0.0) so I did a little of binary diffing of his patch/a bit of debugging and found where the protection is on version 1.0.4. The following code makes the cd check: 00004f22 e8e9a80000 calll 0x0000f810 - call the cd check 00004f27 84c0 testb %al,%al 00004f29 7405 je 0x00004f30 - jump if no cd is present So the patching is very easy, just NOP that jump if equal call and that’s it....