Mac Reversing

While trying to reverse Little Snitch I needed to understand the concept of mach ports (since I suspect it’s used for communication between the userland programs and the kernel extension) and found some nice articles and code about code injection in Mac OS X. They are: Mach Star (old but interesting): https://github.com/rentzsch/mach_star Mach Inject and Mach Override (works for Intel!): http://guiheneuf.org/mach%20inject%20for%20intel.html Abusing Mach on Mac OS X: http://www.uninformed.org/?v=4&a=3&t=sumry http://guiheneuf.org/cross-task%20control%20on%20intel.html to enable the needed functions since they were made inactive since 10....

Little Snitch is a program for which I was very curious to hack around and try to beat it’s protection. I had a feeling it would be a very nice challenge and I can say it didn’t disappointed me! The target is version 2.0.3, running on Tiger 10.4.11. First protection to be defeated was the “classical” PTRACE_DENY_ATTACH. You Control Desktops explains and has links to this protection. If we try to attach gdb to one Little Snitch process (it has at least 3) we get a segmentation fault, so this should be PTRACE_DENY_ATTACH “protection”....

I was looking for a Post-it like program for Mac OS X (I don’t like Stickies!) and found this nice one, Edgies (available at http://www.oneriver.jp/Edgies/index_e.html). It has a very annoying register me protection which shows every few times you open/close a note. My first attempt to bypass this was to go after the serial registration routine (it’s located at RegistrationManager framework) but it appears to be too long and complicated to be worth the trouble....

This is my first Mac OS X reversing tutorial. Target is You Control Desktops, which revealed itself a very nice target to reverse. Download the files below and I hope you learn something from it. There’s no interest whatsoever in piracy, but only in learning and improving things. What you do with this information is YOUR responsability. The keygen (and decrypt.c) make a nice example of OpenSSL API usage. Keygen is non working....