Reverse Engineering

This blog is 18th years old already!

reverser@put.as (fG!) — Sat, 18 Oct 2025 03:17:47 +0100

By serendipity I just noticed that this blog 18th birthday was four days ago! The first blogpost was on 14th October, 2007. Uau!!! It all started when I was job bored to death, bought my first MacBook (still have it!) and started cracking er… reversing stuff. At the time there wasn’t much RE information (and tooling) for Mac as there was for Windows. And then I decided to quit, take an MBA because why not, and then missed a whole new career in management because of cultural misunderstandings (turns out that emailing Asian companies telling their processes are wrong isn’t well accepted).

Bringing Metal to a crypto backdoor fight! Exploiting the GPU and the 90s crypto wars to crack the APT Down code signing keys

reverser@put.as (fG!) — Sun, 24 Aug 2025 17:17:23 +0100

The APT Down leak contained four code signing certificates and the passphrase only for the most recent one. Since the passphrase was found on the usual rockyou.txt wordlist, I was curious to see if the remaining three could be cracked using the same wordlist. I started this project by writing a small utility to decrypt the PVK key, as it could be easily tested with the known passphrase. The code appeared correct, but it wasn’t working.

It's the certificates, stupid!

reverser@put.as (fG!) — Mon, 11 Aug 2025 23:59:17 +0100

This weekend two real hackers leaked the results of an hack to a possible APT linked to China and/or North Korea. Big hat tip and thanks to Saber and cyb0rg for disclosing such interesting material! The leak can be found here at Distributed Denial of Secrets. The Phrack article is included in the archive while Phrack #72 isn’t released online (come on people finish that CTF!). The authors describe some of the contents and ask for help analysing the rest of the contents.

clownpertino - A simple macOS debugger detection trick

reverser@put.as (fG!) — Fri, 04 Apr 2025 18:54:57 +0100

I haven’t seen this trick in the wild (and couldn’t find any references) and I’m dumbfounded as to why I didn’t notice it before. I knew and used this feature a lot, but assumed that the underlying breakpoint was only set when the option was enabled (assumptions, assumptions…tss tss tss). The story starts with an upgrade to macOS 15.4. Given Apple’s recent software quality issues, it comes as no surprise that this update broke some custom debugger-related code I was using.

Cracking the Crackers

reverser@put.as (fG!) — Thu, 13 Mar 2025 17:30:10 +0000

A few weeks ago, Copycat sent me an email asking if I knew anything about the TNT warez group macOS cracks. They were worried that the cracks could be used to leverage malware since TNT is (?) Russia based. Cyber war is real and this could be an interesting case to look at.

These cracks are based on a dynamic library injection, with obfuscated code and anti-debugging measures. This of course triggered my curiosity since the usual anti-anti-debugging measures (ptrace & friends) weren’t working. Even more interesting, one of the cracked apps had pro-Ukraine related content that was modified, so it was a perfect target for malware. Even if malware free, what was behind the obfuscation and anti-debugging?

Flare-On 2024 Challenge #5 - sshd

reverser@put.as (fG!) — Fri, 29 Nov 2024 01:29:38 +0100

Flare-On 2024 is gone and I just made a presentation about the challenge #5 at the local meetup called 0xOpoSec. I think it’s a nice challenge to introduce a few RE and forensics concepts, and a perfect candidate to present this year. The slides are available here, and the Unicorn Engine emulator I used to extract the flag from the final shellcode here. Last year I did the same with challenge #12, also with a Unicorn Engine emulator.

Abusing Go's infrastructure

reverser@put.as (fG!) — Fri, 24 May 2024 18:33:38 +0100

I apologize if this information is already known, but I couldn’t find any references about it and I wanted to understand what was going on and share with you because I think there is some value doing it. In case this wasn’t known, I apologize to the Go team for not talking to them first and jumping the full disclosure gun (I don’t think it’s that severe). I really like Go!

Attacking the heart of an OpenRG modem

reverser@put.as (fG!) — Fri, 20 Oct 2023 13:36:20 +0100

Note: the original post was written in 2017 when there weren’t many posts discussing direct attacks to firmware flash. It also took a while to get in touch with the ISP to give them a chance to fix some of the issues described (in particular the ACS access) and then it was left in draft mode until today. I just made a quick revision and fixed quite a few dead links.

Knock Knock! Who's There? - An NSA VM

reverser@put.as (fG!) — Fri, 17 Dec 2021 14:20:59 +0000

Back in 2017 (feels like ages ago) I decided to take a peek into the ShadowBrokers leaks and reverse some of the tools.

I started on dewdrop simply because it had a macOS version. I made local presentations at 0xOpoSec and BSidesLisbon but those slides were never published for obvious reasons (aka live implants all over the Internet).

Significant time has passed and everyone went crazy last week with the beautiful NSO exploit VM published by Project Zero, so why not ride the wave and present a simple NSA BPF VM. It is still an interesting work and you have to admire the great engineering that goes behind this code. It’s not everyday that you can take a peek at code developed by a well funded state actor.

This post is only going to focus on the BPF part of the implant so you will have to fill in the blanks about everything else.

How to build a custom and distributable lldb

reverser@put.as (fG!) — Fri, 16 Jul 2021 03:51:35 +0100

Almost two years ago (when covid was just starting and we all happily ignored it) I wrote a post about implementing x86 hardware breakpoints in lldb. This critical debugger feature was missing from lldb. Probably because lldb main users are developers and not serious reverse engineers (lol!) dealing with malicious code and/or just reversing/cracking hostile software protections (cracking is the best and most fun RE target practice).

The build process described in that post worked but I wasn’t very happy with it - not easily portable between macOS systems. Some time ago I tried to fix it but I gave up since I wasn’t in the mood to deal with build systems problems.

How to use GitHub Actions and private repositories to deploy a Hugo static site

reverser@put.as (fG!) — Thu, 11 Mar 2021 05:56:42 +0100

For quite some time I have wanted to build a site where I could share links to the stuff I read online. There must be already plenty of sites to solve this but none satisfies my main requisite: to be under my full control. I rather do all the work myself than giving up control to a third-party that can lock me down for any reason (Twitter for example). It’s a price that I am willing to pay.

One of the main obstacles to build the site was that I needed to add/edit information from my desktop and tablet. I am definitely not a cloud fan so using it to sync between devices was out of question (people do it with Evernote, etc). For a while I thought about developing a mobile or web application to achieve this but was too lazy for that.

Last weekend the right idea popped in my mind (I think I was reading something about the topic). I could use GitHub to store the data that I need to edit between devices, and GitHub actions to automate the build process. GitHub allows unlimited private repositories to free users, and the data to store there isn’t critical. I would always have a local copy and if GitHub bans me the impact is meaningless - they are just an intermediary and both ends are controlled by me.

The Finfisher Tales, Chapter 1: The dropper

reverser@put.as (fG!) — Sat, 26 Sep 2020 18:03:00 +0100

Amnesty International finally dropped the bomb and released a report about FinSpy spyware made by FinFisher Gmbh.

The most interesting thing was the revelation of Mac and Linux versions, something that was missing from previous reports on this commercial malware (Kaspersky, Wikileaks).

Is macOS under the biggest malware attack ever?

reverser@put.as (fG!) — Thu, 17 Sep 2020 15:30:08 +0100

No. I just clickbaited you but don’t leave yet, keep reading for something fun!

Blog Update

reverser@put.as (fG!) — Sun, 12 Jul 2020 17:01:33 +0100

Lately I have been working on a new blog post about running macOS on Ryzen via KVM/QEMU. There was a need to change some blog code and because my theme fork is two years or so outdated, I decided last night to dive deep into updating and fixing it.

FruitFly's dropper script and its missing tricks

reverser@put.as (fG!) — Wed, 04 Mar 2020 00:14:40 +0100

Note to original post:
This post was originally written back in May 2019 but was removed because of “pressure” from my employer at the time, Apple. It was written over the weekend on my own equipment and was all about information I had way before I joined Apple. Personally I don’t think there is any special drama here other than unreleased technical details about a malware that is dead and its author busted long time ago. When paranoia and envy are dominant then everything can be a potential media drama in people’s mind. It’s all bullshit. My position didn’t change and given that there is an upcoming presentation about this malware by Thomas Reed at Objective By The Sea it’s time to re-release this.

While sorting out my Mac malware collection I found out that I had an unreleased (no known public references) FruitFly/Quimitchin dropper script lost in my archives.

FruitFly made big headlines two years ago and its author has been arrested. It was first reported by MalwareBytes and then a new variant was analysed by Patrick Wardle. Besides being under the radar for more than a decade, it was kind of exotic malware because most of its code was written in Perl. Last time I did something serious in Perl was twenty years ago or so!

Why I Left Twitter

reverser@put.as (fG!) — Tue, 18 Feb 2020 12:47:45 +0000

Because I can :-)

I was going to write a longer post about this but it is pretty much irrelevant. Essentially I have been thinking about this over the past weeks given that my character might be somewhat incompatible with what I want to achieve next. Sunday I got locked out of Twitter because some random asshole made an harassment complaint because I called him “dumb fuck” and “dumb idiot”, pretty normal things around my feed.

How to make LLDB a real debugger

reverser@put.as (fG!) — Tue, 19 Nov 2019 23:28:35 +0000

These days the de facto debugger in macOS is LLDB. Apple’s old gdb fork doesn’t work anymore and the GNU gdb version is better these days but still quite meh (in the past it couldn’t deal with fat binary targets and I still think this holds true). So we are all essentially stuck with LLDB, warts and all. I also hate the lack of a gdbinit style output but Deroko started that project and I improved it with lldbinit.

Besides its horrible long command line syntax which is so unpopular that gdb-compatible commands were introduced, my biggest problem with it has been the lack of x86 hardware breakpoint support. While hardware breakpoints might not be needed to debug applications within Xcode, they are essential to any serious reverse engineer dealing with arbitrary untrusted targets such as malware, packers, obfuscators, and DRM. It has been a serious blocker for me against some targets and a source of immense frustration because it should be a basic debugger feature.

Last week I finally got fed up enough to dive into the LLDB C++ codebase and finally try to implement this feature. Instead of just posting a patch, this post is a journey into LLDB internals and how I implemented this feature. Hopefully it will help others exploring the LLDB codebase, which seems unfriendly because of the lack of really good documentation into its architecture. Maybe this could lead to further improvements and make LLDB more reverse engineer friendly.

Crafting an EFI Emulator and Interactive Debugger

reverser@put.as (fG!) — Tue, 29 Oct 2019 15:58:25 +0000

In 2016 I reversed Apple’s EFI firmware password reset scheme using SCBO files. There was an old rumor that these files were able to unlock firmware password locked Macs (and even a sketchy video about a universal SCBO able to unlock any Mac). That post is available at Apple EFI firmware passwords and the SCBO myth.

All the interesting computing action happened at the EFI execution level. I made good reversing progress with static analysis, but dynamic analysis with a debugger would make the job much easier. I love debuggers because they allow you to quickly test ideas and cut corners while reversing a target. Reading disassembly listings for long periods is tiring. (U)EFI debuggers can be found in the market but they are usually quite expensive (a couple thousand USD).

My solution was to create an emulator and debugger based on Unicorn. At the time I was working a lot with Unicorn so it was natural to use it to solve this problem (“if all you have is a hammer, everything looks like a nail”). After I wrote the blogpost some people directed me to some emulators (TianoCore EmulatorPkg and efiperun). I never tried them to see if they contained an interactive debugger like I wanted. The pain wasn’t big since this was a couple of days project and it was quite fun to write.

Keygenning Carbon Copy Cloner Keychain Password

reverser@put.as (fG!) — Thu, 25 Oct 2018 23:14:38 +0100

Passwords are a modern annoyance and their diversity is something you can’t avoid if you want a minimum amount of account security (don’t forget to turn on those 2FA options, avoiding SMS versions if possible). They get more annoying when you set a super smart new password with that smug feeling that it is such a great password that you will never forget about it (or something crappy you set in a rush). Usually you can’t remember it already in the next day or in the next week, since in a month it is totally wiped out from your memory.

This time my victim was Carbon Copy Cloner (CCC). When you generate a backup you can select an encrypted sparse bundle (disk image) as destination, and save its password in the application private keychain.

Reversing and Keygenning qwertyoruiop's Crackme

reverser@put.as (fG!) — Sat, 06 Oct 2018 23:15:21 +0100

I was bored this weekend and decided to take some rust out of my reversing skills before they disappear for good. I have spent the past two years or so mostly writing C code (secure C is more like an asymptote but that is why it is a fun challenge) and barely doing any serious reverse engineering and security research. So I decided to revisit some unfinished business with qwertyoruiop’s crackme. I had a look when he originally sent it but got distracted with something else at the time and never finished it. I couldn’t find any public write-up about it so I decided to write one. It is mostly targeted to newcomers to reverse engineering and macOS. You can click the pictures to see the full size version.

lldbinit - Improving LLDB

reverser@put.as (fG!) — Mon, 15 Jan 2018 14:24:20 +0000

Many years ago I had to use gdb for the first time and I absolutely hated it. At the time I was reversing (cof cof cof) Windows apps so SoftIce and friends were my favorite tools. Compared to these gdb was a complete trash, mostly because the naked gdb lacks a nice context display. I like to know what the hell is going around each time I step in the debugger, without having to type a bunch of commands for it. Then I discovered the original gdbinit by +mammon and life with gdb was a bit easier.

Measuring OS X Meltdown Patches Performance

reverser@put.as (fG!) — Sun, 07 Jan 2018 16:49:05 +0000

Happy New Year and happy ten year anniversary to this blog, which I totally forgot back in October :-/. Blogging activity here has been so slow that I almost forgot how to work with Hugo.

We started 2018 with heavy speculation on critical CPU bugs that were under disclosure embargo. Luckily for us, Google decided to break the embargo and release some proper information about the bugs so speculation could stop and facts could finally flow in. The merits or not of disclosure embargos deserve a serious discussion but this post is not the place for it. This one was for sure a huge mess.

The world was finally introduced to Meltdown and Spectre.

Exploiting CVE-2017-5123

reverser@put.as (fG!) — Tue, 07 Nov 2017 15:01:18 +0000

This is a guest post by a young and talented Portuguese exploiter, Federico Bento. He won this year’s Pwnie for Epic Achievement exploiting TIOCSTI ioctl.

Days ago he posted a video demonstrating an exploit for CVE-2017-5123 and luckly for you I managed to convince him to do a write-up about it.

I hope you enjoy his work. Thanks Federico!

How to compile AFL's LLVM mode in OS X

reverser@put.as (fG!) — Mon, 10 Jul 2017 12:10:08 +0100

American fuzzy lop aka AFL is one of the easiest and best fuzzers out there and should be part of your development cycle if you care at least one bit about the security of your code.

Its performance in OS X is a bit of a let down because of issues at fork() system call. AFL warns you about this when compiling it:

WARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of fork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox (virtualbox.org) to put AFL inside a Linux or *BSD VM.

Papers

reverser@put.as (fG!) — Tue, 20 Jun 2017 16:32:45 +0100

This page has moved to its own website. You can find it here https://papers.put.as. Old links are redirected, but I might have missed some so tell me if you get any dead links. fG!

gdbinit

reverser@put.as (fG!) — Tue, 20 Jun 2017 16:30:28 +0100

The project has moved to GitHub at https://github.com/gdbinit/gdbinit.

Blog migration to Hugo

reverser@put.as (fG!) — Tue, 20 Jun 2017 15:10:49 +0100

So I finally decided to bite the bullet and migrate from Wordpress to Hugo.

I wanted to migrate out of Wordpress for a while but the amount of work required to keep the site structure due to SEO and migrating content always stopped me from doing it. I also wanted to keep the site comments feature and since I don’t like to use cloud services such as Disqus it created another big obstacle to this operation.

Armory Sandbox – Building a USB analyzer with USB armory

reverser@put.as (fG!) — Tue, 20 Jun 2017 15:01:55 +0100

Some time ago a friend received a mysterious USB pen with a note talking about some kind of heavily persistent malware. He had that USB pen stored untouched and of course my curiosity took over. Since one should never plug in unknown USB devices into a computer (well, any USB device we purchase is unknown but that is another story) and I didn’t want to “burn” a computer just to take a look at the contents I decided to use my USB armory to build an air gap sandbox that would be harder to infect and for malware to escape from it.

EFI Swiss Knife – An IDA plugin to improve (U)EFI reversing

reverser@put.as (fG!) — Tue, 13 Jun 2017 15:30:12 +0100

EFI Swiss Knife - An IDA plugin to improve (U)EFI reversing

Shut up snitch! – reverse engineering and exploiting a critical Little Snitch vulnerability

reverser@put.as (fG!) — Fri, 22 Jul 2016 15:20:11 +0100

Little Snitch was among the first software packages I tried to reverse and crack when I started using Macs. In the past I reported some weaknesses related to their licensing scheme but I never audited their kernel code since I am not a fan of IOKit reversing. The upcoming DEF CON presentation on Little Snitch re-sparked my curiosity last week and it was finally time to give the firewall a closer look.

Apple EFI firmware passwords and the SCBO myth

reverser@put.as (fG!) — Sat, 25 Jun 2016 15:10:25 +0100

My original goal when I started poking around Apple’s EFI implementation was to find a way to reset a MacBook’s firmware password. My preliminary research found references to a “magical” SCBO file that could be loaded onto a USB flash drive and booted to remove the password. The normal process workflow is to first contact Apple support. Since I don’t have the original sales receipt of this specific Mac, I assume this option isn’t possible, since anyone with a stolen Mac could get the password reset. Things got more interesting when I found a website that allegedly sold the SCBO files – just send them the necessary hash (more on this later), pay USD100, and get a working SCBO file in return. There are videos (in Portuguese but you can watch the whole process) of people claiming this works, and even some claims about an universal SCBO that unlocks multiple Macs.

SyScan360 Singapore 2016 slides and exploit code

reverser@put.as (fG!) — Wed, 27 Apr 2016 15:09:50 +0100

The exploit for the bug I presented last March at SyScan360 is today one year old so I decided to release it. I wasn’t sure if I should do it or not since it can be used in the wild but Google Project Zero also released a working version so it doesn’t really make a difference. I’m also publishing here the final version of the slides that differ slightly from the version made available at the corporate blog.

The Italian morons are back! What are they up to this time?

reverser@put.as (fG!) — Mon, 29 Feb 2016 15:07:01 +0100

Nothing 😃. HackingTeam was deeply hacked in July 2015 and most of their data was spilled into public hands, including source code for all their sofware and also some 0day exploits. This was an epic hack that shown us their crap internal security but more important than that, their was of doing things and internal and external discussions, since using PGP was too much of an annoyance for these guys (Human biases are a royal pain in the ass, I know!

Reversing Apple’s syslogd bug

reverser@put.as (fG!) — Fri, 22 Jan 2016 15:02:28 +0100

Two days ago El Capitan 10.11.3 was released together with security updates for Yosemite and Mavericks. The bulletin available here describes nine security issues, most of them related to kernel or IOKit drivers. The last security issue is about a memory corruption issue on syslog that could lead to arbitratry code execution with root privileges. I was quite curious about this bug mostly because it involved syslogd, a logging daemon.

Gatekeerper – A kernel extension to mitigate Gatekeeper bypasses

reverser@put.as (fG!) — Mon, 09 Nov 2015 15:00:29 +0100

Last month Patrick Wardle presented Exposing Gatekeeper at VB2015 Prague. The core of the presentation deals with Gatekeeper bypasses originating in the fact that Gatekeeper only verifies the code signatures of the main binary and not of any linked libraries/frameworks/bundles. This means it is possible to run unsigned code using dynamic library hijacking techniques also presented by Patrick in code that should be protected by Gatekeeper. His exploit uses an Apple code signed application that is vulnerable to dylib hijacking and is modified to run unsigned code when downloaded from the Internet.

London and Asia EFI monsters tour!

reverser@put.as (fG!) — Fri, 06 Nov 2015 14:59:48 +0100

Finally back home from China and Japan tour, so it’s time to finally release the updated slides about EFI Monsters. After Secuinside I updated them a bit, fixing stuff I wasn’t happy with and adding some new content. The updated version was first presented at 44CON London. I had serious reservations about going to the UK (not even in transit!) but Steve Lord and Adrian charm convinced me to give it a try.

Rootfool – a small tool to dynamically disable and enable SIP in El Capitan

reverser@put.as (fG!) — Mon, 12 Oct 2015 14:58:18 +0100

El Capitan is finally released and System Integrity Protection aka SIP aka rootless is finally a reality we must face. Let me briefly describe SIP (technical details maybe in another post, now that El Capitan is final and out of NDAs). This post by Rich Trouton contains a very good description of its userland implementation and configuration. What is SIP anyway? The description that I like to use is that SIP is a giant system-wide sandbox, that controls access to what Apple considers critical files and folders.

Writing Bad @$$ Lamware for OS X

reverser@put.as (fG!) — Fri, 07 Aug 2015 14:55:51 +0100

The following is a guest post by noar (@noarfromspace), a long time friend. It shows some simple attacks against BlockBlock, a software developed by Patrick Wardle that monitors OS X common persistence locations for potential malware. The other day noar was telling me about a few bypasses he had found so I invited him to write a guest post. The title is obviously playing with one of Patrick’s presentations. I met Patrick at Shakacon last year and this is not an attempt to shame him (that is reserved mostly for Apple ;-)).

BSides Lisbon and SECUINSIDE 2015 presentations

reverser@put.as (fG!) — Tue, 21 Jul 2015 14:55:14 +0100

I guess my goal for the remaining 2015 of not doing any presentations will not happen. Two weeks ago I presented at BSides Lisbon 2015 and last week at SECUINSIDE 2015. I’m very happy to see BSides Lisbon returning after the first edition in 2013. Congrats to Bruno, Tiago, and the rest of the team for making it happen. It’s still a small conference but I’m glad they are making it happen, and I will always do my best to help the Portuguese scene going forward.

Reversing Prince Harming’s kiss of death

reverser@put.as (fG!) — Wed, 01 Jul 2015 14:46:45 +0100

The suspend/resume vulnerability disclosed a few weeks ago (named Prince Harming by Katie Moussouris) turned out to be a zero day. While (I believe) its real world impact is small, it is nonetheless a critical vulnerability and (another) spectacular failure from Apple. It must be noticed that firmware issues are not Apple exclusive. For example, Gigabyte ships their UEFI with the flash always unlocked and other vendors also suffer from all kinds of firmware vulnerabilities.

The Empire Strikes Back Apple – how your Mac firmware security is completely broken

reverser@put.as (fG!) — Fri, 29 May 2015 14:44:34 +0100

If you are a rootkits fan the latest Chaos Communication Congress (CCC) in 2014 brought us two excellent presentations, Thunderstrike by Trammell Hudson and Attacks on UEFI security, inspired by Darth Venami’s misery and Speed Racer by Rafal Wojtczuk and Corey Kallenberg. The first one was related to the possibility to attack EFI from a Thunderbolt device, and the second had a very interesting vulnerability regarding the (U)EFI boot script table.

How to fix rootpipe in Mavericks and call Apple’s bullshit bluff about rootpipe fixes

reverser@put.as (fG!) — Mon, 13 Apr 2015 14:42:07 +0100

The rootpipe vulnerability was finally fully disclosed last week after a couple of months of expectation since its first announcement. It was disclosed as a hidden backdoor but it’s really something more related to access control and crap design than a backdoor. Although keep in mind that good backdoors should be hard to distinguish from simple errors. In this case there are a lot of services using this feature so it’s hardly a hidden backdoor that just sits there waiting for some evil purpose.

How to bypass Google’s Santa LOCKDOWN mode

reverser@put.as (fG!) — Mon, 13 Apr 2015 14:41:33 +0100

Santa is a binary whitelisting/blacklisting system made by Google Macintosh Operations Team. While I refer to it as Google’s Santa it is not an official Google product. It is based on a kernel extension and userland components to control the execution of binaries in OS X systems. It features two interesting modes of execution, monitor and lockdown. The monitor mode is a blacklisting system, where all binaries except those blacklisted can run.

BadXNU, a rotten apple! – CodeBlue 2014, SyScan 2015 slides and source code

reverser@put.as (fG!) — Thu, 19 Mar 2015 14:41:01 +0100

The last SyScan is almost here so it’s time to get again into a plane and travel to Singapore. This means that the slides and source code can finally be released. Below you can find the archive with both presentations slides (they are slightly different, SyScan version fixes/upgrades a few things) and full source code for both rootkit/kext loaders. I hope you enjoy them; they are quite fun techniques, in particular the second one which now I sort of regret to disclose because it’s so cool.

https is now (finally) supported!

reverser@put.as (fG!) — Tue, 13 Jan 2015 14:40:21 +0100

Hummm this is something that I should have done a long time ago but was always too lazy since there’s not highly critical information here (except some hashes and my PGP key/id). Anyway, you can finally access the blog over https://reverse.put.as. I still need to understand if there’s any impact on Google search stuff by moving it to HTTPS only. Better late then never. Oh and fuck you David Cameron and your stupid populist ideas.

Happy New Year!

reverser@put.as (fG!) — Sat, 10 Jan 2015 14:39:50 +0100

A few days late but, Happy New Year! 2014 is gone and it was an interesting year. Learnt quite a few new things in different areas, created tons of code, and got a couple of very interesting ideas to explore in 2015. It also ended in a great way with a visit to CodeBlue to present BadXNU, a rotten apple. If there’s city and country I always wanted to visit, those were Tokyo and Japan.

Patching what Apple doesn’t want to or how to make your “old” OS X versions a bit safer

reverser@put.as (fG!) — Fri, 31 Oct 2014 14:38:51 +0100

Today a local privilege escalation vulnerability was disclosed in this blog post. It describes a vulnerability in IOBluetoothFamily kernel extension (IOKit is a never-ending hole of security vulnerabilities). Mavericks and most probably all previous versions are vulnerable but not Yosemite. The reason for this is that Apple silently patched the bug in Yosemite. This is not a new practice, where Apple patches bugs in the latest and newly released OS X version and doesn’t care about older versions.

Can I SUID: a TrustedBSD policy module to control suid binaries execution

reverser@put.as (fG!) — Fri, 03 Oct 2014 14:38:19 +0100

Let me present you another TrustedBSD policy module, this time to control execution of suid enabled binaries. The idea to create this started with nemo’s exploitation of bash’s shellshock bug and VMware Fusion. It was an easy local privilege escalation because there are many Fusion suid enabled binaries. This got me thinking that I want to know when this kind of binaries are executed and if possible control access to them.

The double free mach port bug: The short story of a dead 0day

reverser@put.as (fG!) — Wed, 24 Sep 2014 14:37:25 +0100

The iOS 8 security update bulletin has many fixed bugs, one of which is this one: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-2014-4375 : an anonymous researcher. Well, I’ve known this bug for a while and it was insanely fun as anti-debugging measure because of its random effects when triggered. For example, sometimes you get an immediate kernel panic, others nothing happens, and most of the time you get weird CPU spikes not attributed to any process, or system lock ups after a while.

Shakacon #6 presentation: Fuck you Hacking Team, From Portugal with Love.

reverser@put.as (fG!) — Thu, 26 Jun 2014 14:36:44 +0100

Aloha, Shakacon number 6 is over, it was a blast and I must confess it beat my expectations. Congratulations to everyone involved in making it possible. Definitely recommended if you want to speak or attend, and totally worth the massive jet lag. My presentation was about reverse engineering Hacking Team OS X malware latest known sample. The slide count is 206 and I was obviously not able to present everything. The goal is that you have a nice reference available for this malware and also MPRESS unpacking (technically dumping).

About the processor_set_tasks() access to kernel memory vulnerability

reverser@put.as (fG!) — Mon, 05 May 2014 14:35:40 +0100

At BlackHat Asia 2014, Ming-chieh Pan and Sung-ting Tsai presented about Mac OS X Rootkits (paper and slides). They describe some very cool techniques to access kernel memory in different ways than the usual ones. The slides and paper aren’t very descriptive about all the techniques so this weekend I decided to give it a try and replicate the described vulnerability to access kernel memory. The access to kernel task (process 0) was possible before Leopard (or was it fixed in Snow Leopard?

Revisiting Mac OS X Kernel Rootkits Phrack article is finally out!

reverser@put.as (fG!) — Fri, 18 Apr 2014 14:35:09 +0100

Enjoy it at Phrack. It’s finally out. It feels a bit old and it is indeed a bit old but still a good paper (or at least I tried to make it that way). The supplied code is for an older version of that rootkit. For example it still has dependencies on importing task, proc and other kernel private structures. The updated version solves all required offsets so it supports easily new and old OS X versions.

Rex vs The Romans – Anti Hacking Team Kernel Extension

reverser@put.as (fG!) — Tue, 08 Apr 2014 14:34:21 +0100

After surviving the five shots at SyScan’s WhiskeyCon I am finally back home and you get a chance to see the slides and code for the TrustedBSD module I presented there. The goal of REX vs The Romans is to work as detection and prevention tool of Hacking Team’s OS X malware. The TrustedBSD hook allows to detect if the system is already infected, and the Kauth listener to warn about any future infection.

Teaching Rex another TrustedBSD trick to hide from Volatility

reverser@put.as (fG!) — Tue, 18 Mar 2014 14:32:11 +0100

Rex the Wonder Dog (here and here) is a proof of concept that uses TrustedBSD framework to install kernel level backdoors. Volatility is able to detect these malicious modules with a plugin created by Andrew Case. The plugin works by looking up the TrustedBSD structures and dumping information about the loaded modules. At SyScan360 I presented a “new” trick to bypass this plugin by creating a shadow structure and leaving the legit one untouched.

Don’t die GDB, we love you: kgmacros ported to Mavericks.

reverser@put.as (fG!) — Fri, 21 Feb 2014 14:31:25 +0100

Our lovely GDB has been declared dead with Xcode 5 release. The new king in town is LLDB, and that also applies to kernel debugging. Change is good, even if we Humans don’t like it, but… there’s still no gdbinit for LLDB and I just love it. Even more important (for kernel debugging), LLDB still has no support (afaik) for VMware GDB stub. This means it’s not possible to do kernel debugging in Mavericks VMs other than KDP.

Analysis of CoinThief/A "dropper"

reverser@put.as (fG!) — Sun, 16 Feb 2014 11:51:26 +0100

There is no such thing as malware in OS X but last week another sample was spotted and made the “news”. I am talking about CoinThief, a malware designed to hijack Bitcoin accounts and steal everything (I must confess I laughed a bit; I think Bitcoin is just a bullshit pyramid scheme but I digress). There are a few samples out there, in different stages of evolution, so this is probably not a very recent operation.

AppleDoesntGiveAFuckAboutSecurity iTunes Evil Plugin Proof of Concept

reverser@put.as (fG!) — Sat, 15 Feb 2014 11:49:37 +0100

Oh this one has been into my head for so long that I finally decided to try and create the code for it. So let’s go! What’s the background story? In August 2011 I reported to Apple a security issue with iTunes. What happens is that iTunes plugins are loaded into iTunes process space so they have full control of iTunes. Evil plugins can do all kinds of things such as stealing iTunes passwords and credit card information, or patching some annoying features as I did with Disable m3u plugin.

Updated version of Onyx The Black Cat

reverser@put.as (fG!) — Fri, 14 Feb 2014 11:49:05 +0100

New version available at the github repo, compatible with Mavericks and with a Cocoa app to control its features. Mavericks sysent table is modified so previous versions weren’t compatible with it. I updated the sysent table definitions. It’s not the best method to assure future compatibility in case Apple decides to change the structure again. A better way is to find the symbols for the syscalls and replace them directly in the sysent table.

Linux/HackingTeamRDorks.A, a “new” and improved version of Linux/CDorked.A

reverser@put.as (fG!) — Wed, 05 Feb 2014 11:45:29 +0100

Disclaimer: This malware sample is not in any way related to Hacking Team (as far as I know) other than me making some jokes about them related to a future presentation about their OS X malware product. Two months ago (maybe three) I started noticing a sporadic redirect when I accessed these blog pages. It wasn’t anything “malicious” as far as I could evaluate; just a redirect to adult friend finder site.

Breaking OS X signed kernel extensions with a NOP

reverser@put.as (fG!) — Sat, 23 Nov 2013 11:44:32 +0100

For some reason Apple wants to change external kernel extensions location from /System/Library/Extensions to /Library/Extensions and introduced in Mavericks a code signing requirement for all extensions and/or drivers located in that folder. Extensions will not be loaded if not signed (those located in the “old” folder and not signed will only generate a warning [check my SyScan360 slides]). The signing certificates require a special configuration and to obtain them you need to justify it.

One small patch for GDB, one giant leap for reversers!

reverser@put.as (fG!) — Fri, 08 Nov 2013 11:43:41 +0100

One thing that really bothered me for a long time while debugging is the need to calculate the libraries loaded addresses versus the addresses at disk if you want to follow and comment library code in IDA. While the ASLR slide can also be disabled when starting processes (or even attaching by disabling it first in the Mach-O header) sometimes I want to attach to ASLR enabled processes and once again I need to compute values without the slide to follow in IDA.

Why ESET’s OS X Rootkit Detector is useless...

reverser@put.as (fG!) — Mon, 30 Sep 2013 11:43:01 +0100

Last week ESET released a Rootkit Detector tool for OS X. I finally gave a look at it today and as I suspected it is useless (unless rootkit authors are not reading my slides like ESET does not seem to). The only thing it appears to be doing is to check if sysent pointers were modified. Let’s be honest, it’s useless in particular when they mention they have limited visibility into OS X rootkits.

SyScan360 Beijing slides

reverser@put.as (fG!) — Mon, 30 Sep 2013 11:42:22 +0100

Eight days and 10 flights later I am back from SyScan360 in Beijing. It was my first visit to China and I had lots of fun observing many things that I only “knew” from reading. The scale and dimension of everything in Beijing is quite a surprise. No wonder why every Western company wants to be there. We had great food and an awesome visit to the Great Wall. A big thank you to the boys and girls from the organization for all their hard work and dedication.

HiTCON 2013 slides

reverser@put.as (fG!) — Tue, 30 Jul 2013 11:41:43 +0100

Taipei is definitely one of my favourite cities in the world! I love its “infinite” amount of small shops, in particular at night when lights are on. Streets look so beautiful and busy. Everyone is very friendly and respectful, and most important, I feel very safe. And the food is awesome (thank you Thomas!). I really love it! If you like Asia, Taiwan is a must visit. The only problem is language – English is not widely spoken.

Gone in 59 seconds: tips and tricks to bypass AppMinder’s Jailbreak detection

reverser@put.as (fG!) — Sun, 30 Jun 2013 11:40:44 +0100

There’s a new attempt at jailbreak detection available at http://appminder.nesolabs.de. It is mostly aimed at Enterprise applications and not AppStore usage. I am not sure about AppStore rules but those tricks will most probably not pass the approval process. AppMinder provides three levels of jailbreak detection and anti-debugging measures. The different levels are related to self-integrity checking and code obfuscation rates. When you generate a new protection, it will give you some plug’n’pray code to plug in into your existent code base.

Another gift: Crackme #1 source code from hell!

reverser@put.as (fG!) — Tue, 11 Jun 2013 11:40:06 +0100

A reader was asking me some questions related to some stuff I used in my crackme and I decided to release its source code. Enough time went by already and I do not think it has many important secrets. Now, you will have to forgive me but that is one hell of ugly source code! I just cleaned up some dead code and some other minor cleanups. Right now I do not have enough time to fix and clean up the code, even if I really do not like it at all.

Clapzok.A: reversing the OS X part of a multiplatform PoC infector

reverser@put.as (fG!) — Fri, 31 May 2013 11:36:55 +0100

I was lucky enough to get my hands on an updated version of interesting multiplatform virus and decided to reverse the OS X part. The original virus is from 2006 by JPanic and it’s called CAPZLOQ TEKNIQ v1.0. The new version adds support to infect OS X binaries, 32 bit x86 only, although it supports infection of fat binaries (the x86 version only). Source code for the original version is available.

Gimmedebugah: how to embedded a Info.plist into arbitrary binaries

reverser@put.as (fG!) — Tue, 28 May 2013 11:35:57 +0100

One of the changes introduced by Mountain Lion was the removal of the old procmod convention for applications that want to access the task port of a process (aka for reversers, debuggers). Before this change, any binary that was procmod suid group set could access the task port of other processes (running as the same user). Taskgated configuration in Mountain Lion was changed and removed this possibility. Only signed binaries that contain an embedded Info.

The "all" new Onyx The Black Cat!

reverser@put.as (fG!) — Fri, 24 May 2013 11:35:12 +0100

Suffering from post-conference boredom I decided to redo Onyx The Black Cat kernel extension to kickstart again my brain and get back to serious work. There were also some people asking for an updated version so here it is! This reworked version uses kernel control interface to enable/disable its features. It is much better than sysctl used before. It is also compatible with Snow Leopard, Lion, and Mountain Lion, and, hopefully, it should run without any problems in future versions.

NoSuchCon #1 debrief and slides

reverser@put.as (fG!) — Tue, 21 May 2013 11:34:36 +0100

NoSuchCon is over and I am finally back home. It was a really great conference with great talks and a full room all the time (let me say I am very surprised about this). The only negative thing was the projection “wall” which was really bad and “killed” almost everyone’s slides. While I understand it is an historical building, that thing must be improved, either with a temporary solution or something else.

Hydra, the sample util I am unable to describe!

reverser@put.as (fG!) — Mon, 13 May 2013 11:33:58 +0100

Let me give you a small gift before moving my ass to Paris to attend and present at NoSuchCon. Hydra is sample code of a kernel extension that will intercept process creation, suspend, and communicate it to a userland daemon that will be in charge of patching the application. It uses the process hijacking technique I described at SyScan presentation. Instead of injecting a library it leaves the process in a suspended state and makes its PID available for the userland daemon.

There is an error in my SyScan slides!

reverser@put.as (fG!) — Wed, 08 May 2013 11:33:17 +0100

Today I discovered that my slides contain a (stupid) error! The story begins with Alex Ionescu telling me the symbols are still available in kernel memory in Mountain Lion. I quickly verified this by doing memory dumps and it was really true. Today I finally got some time to sort it out and verify where they were. To my great surprise I fucked up bigtime on my manual calculations and was dumping the wrong memory area (DUH!

SyScan13: Revisiting Mac OS X Rootkits presentation

reverser@put.as (fG!) — Tue, 07 May 2013 11:32:27 +0100

SyScan 2013, 10th anniversary edition is over! It is a great conference and I hope it does not end here. I had lots of fun and met new interesting people. Thomas is an awesome host! It helps that I really like Singapore and Asia in general. My presentation was about Mac OS X kernel rootkits based on the article I submitted to Phrack. Because Phrack is late, I was trying to postpone public availability of my slides.

How to compile GDB in Mountain Lion (updated)

reverser@put.as (fG!) — Wed, 20 Mar 2013 11:30:59 +0100

This is an up-to-date version of the old original post about recompiling GDB and other open source packages available at opensource.apple.com. I’m doing it mostly because code signing is now mandatory for GDB and there’s a stupid old bug that Apple still didn’t fixed since Snow Leopard. I forgot about it on my latest reinstall and lost an afternoon. This way you and me will not make the same mistake.

OS.X/Boubou – Mach-O infector PoC source code

reverser@put.as (fG!) — Tue, 05 Mar 2013 11:30:23 +0100

More than half a year as passed since HITCON'12 and as far as I know no one cared much about implementing some sort of detection/protection against this type of attack (correct me if I’m wrong). As explained in HITCON slides, this trick can be very useful to install backdoors and avoid the usual lame LaunchDaemons type of thing. I did some massive cleanup to the original PoC that I had glued for HITCON but it’s still a bit messy and definitely not “production” ready.

Ice the Guardian v2, the OS X anti-lamware

reverser@put.as (fG!) — Thu, 14 Feb 2013 11:29:46 +0100

Another day, another lame malware attacking and spying on OS X users, and still using the same old lame Daemons and Agents approach to gain persistence at victims machine. Hey, it works, so why change, right? Ice the Guardian v2 is a quick hack using TrustedBSD to monitor the system LaunchDaemons and LaunchAgents folders. There’s a lot of room for improvement so I’m waiting for your commits 😉. Apple has the technology in place so they could probably implement something like this default oin OS X.

Happy new year, 2013 edition!

reverser@put.as (fG!) — Fri, 28 Dec 2012 11:29:12 +0100

And 2012 (Gregorian calendar version) is almost over so it’s time to look back and ahead. This year was certainly a great one for myself. Had quite a few interesting projects, went to Asia and spoke at conferences for the first time, improved a lot my skills and fulfilled the main 2012 goal. It was certainly a very busy but fun year that set the pace for 2013. The projects’ queue for 2013 is already very interesting with lots of (fun) work ahead!

A quick review of Mac OS X and iOS Internals – To the Apple’s Core

reverser@put.as (fG!) — Wed, 12 Dec 2012 11:28:31 +0100

The question that most people want to be answered is if this is the book to replace the venerable Mac OS X Internals by Amit Singh. In my opinion it’s complementary with some good updates and interesting tips. I wasn’t expecting to buy this book so soon due to some Twitter comments and to printing issues, with at least one chapter missing and replaced with another from a ASP.net book. A project I’m working at antecipated my waiting.

Otool-ng – a set of small patches to Apple’s otool

reverser@put.as (fG!) — Wed, 21 Nov 2012 11:27:54 +0100

It’s the lazy post season so I present you otool-ng. It’s a fork of Apple’s otool with small modifications for things that I use often or dislike in current otool. The segment command LC_MAIN was introduced to replace LC_UNIXTHREAD and one information that is lost is the entrypoint address. While ASLR kind of makes it less useful, I still debug a lot of programs and do other stuff, where ASLR is disabled.

Kextstat_ASLR util or how to start hiding your kernel rootkit in Mountain Lion

reverser@put.as (fG!) — Sun, 18 Nov 2012 11:27:17 +0100

Welcome back! This is a small post about a quick util that I created yesterday’s night while working on a side project. Mountain Lion introduced kernel ASLR and the kextstat util output doesn’t support (yet?) this feature. The addresses are not the real ones and this is quite annoying (kgmacros from kernel debugging kit also seem to fail at this!). What this util does is to read the kernel extensions information via the /dev/kmem device (hence this util is probably not useful for a large audience) and display it like kextstat does with the correct address for each kext (just the most important information, the linked against info might be added in the future).

5 years of reverse.put.as

reverser@put.as (fG!) — Wed, 10 Oct 2012 11:26:36 +0100

Happy birthday to this blog! In 2007 I bought my first-ever Apple computer and started this blog. The amount of (public) reverse-engineering related information was scarce, cracking in particular. It was a whole new platform to me and a blog would be a good way to share my findings with others. I had experienced this with the PalmOS platform, where I created quite a few tutorials but never made them public.

My first Hackintosh

reverser@put.as (fG!) — Thu, 27 Sep 2012 11:25:06 +0100

I really like my non-unibody Macbook Pro (awesome keyboard!) but its 3GB ram limit makes it almost impossible to work with virtual machines, Mac OS VMs in particular. I don’t have a need for another laptop and possibilities were between buying a Mac Pro or build my own Hackintosh. Against the Hackintosh is the fact that my patience for small problems doesn’t exist anymore. I just want something that works and does what I need – time is money.

OS X Malware at Confraria de Segurança da Informação presentation slides

reverser@put.as (fG!) — Thu, 27 Sep 2012 11:24:11 +0100

I did yesterday a presentation about OS X Malware at Confraria SI in Lisbon, a monthly meeting between IT sec professionals and enthusiasts. The presentation was an update to the HiTCON version, removing some things about old malware and Flashback tricks, adding Crisis slides and small fixes to stuff here and there. Enjoy it 😃 fG! Confraria 2012 Presentation.pdf

Tales from Crisis, Chapter 4: A ghost in the network

reverser@put.as (fG!) — Sun, 26 Aug 2012 11:22:36 +0100

This chapter was supposed to be about additional methods to detect OS.X/Crisis but I had the evil idea of taking full control of Crisis, and played with this idea for the last couple of days. It’s pretty damm easy to customize the dropper, and at the limit, be able to deploy your own version of Crisis to anyone. This raises some problematic questions, some of which I was fooling around with at Twitter.

Tales from Crisis, Chapter 3: The Italian Rootkit Job

reverser@put.as (fG!) — Tue, 21 Aug 2012 11:19:06 +0100

I always had some strange attraction to rootkits and was thrilled to hear that Crisis had one. This chapter is dedicated to the rootkit implementation, its tricks and how it’s controlled (and its fuckups!). A small disclosure note about me making fun of Italians on Twitter. I love Italy and have nothing against Italians. We just share some cultural things that I really hate and that’s the reason why I was making fun of Crisis origins and some of its design/features.

Tales from Crisis, Chapter 2: Backdoor’s first steps

reverser@put.as (fG!) — Mon, 20 Aug 2012 11:16:10 +0100

Let’s continue our cute story about OS.X/Crisis, this time with the startup flow of the main backdoor module. Please apologize for the delay on this chapter – I had some fun with the rootkit and that diverted me to other things. The first curious detail about the backdoor module (installed as /Users/USERNAME/Library/Preferences/jlc3V7we.app/IZsROY7X.-MP) is that no obfuscation/anti-debugging tricks are used (except one) so its analysis is easier than the dropper. It also uses Objective-C heavily, which is still a bit annoying in IDA but has the advantage of the code being very descriptive.

Tales from Crisis, Chapter 1: The dropper’s box of tricks

reverser@put.as (fG!) — Mon, 06 Aug 2012 23:59:57 +0100

Mac malware is back to news spotlight, this time with Crisis (insert one of the other thousand names here _____). This malware is nothing more than commercial spy software being sold by a lot of money to governments or something (oh boy, I could make a good living out of this). I’m lucky enough to have a sample of it (thank you, you know who you are!) and also lucky to be able to talk about it (it uses some similar tricks that I knew about).

ExtractMachO: an IDA plugin to extract Mach-O binaries from disassembly

reverser@put.as (fG!) — Mon, 30 Jul 2012 23:59:07 +0100

This is an IDA plugin to extract Mach-O binaries located in IDA disassembly, either code or data segments. For now it only supports 32 or 64 isolated binaries and not fat binaries. It also expects a normal formatted binary, not something mangled as my crackme for example. I expect to add support for fat binaries soon. Why did I created this plugin? Everyone is talking about the latest OS X malware, Crisis (or whatever other name everyone is using – AV scene is so lame that no one respects the first name given, blah!

HITCON 2012 Review and slides

reverser@put.as (fG!) — Fri, 27 Jul 2012 23:57:01 +0100

After more than 30h inside planes and airports, I’m finally back home! Asia 2012 tour is over. HITCON was really great and well organized. It was bigger than I expected, with lots of curious and cool people. Went in the mood and took many pictures with everyone – there goes my anonymity! My speaking slot was after lunch, which is a tough one. I could only spot half a dozen sleeping so I might have done a good job.

Secuinside 2012 Review and Slides

reverser@put.as (fG!) — Fri, 13 Jul 2012 23:55:54 +0100

After 27h flying around the world and hanging at airports I’m finally back home. Secuinside 2012 in Seoul was fantastic! The organization was really great and most of all, exceptionally friendly and awesome hosts. There are minor details to work at for next year but these guys had a very short time frame to organize this one. Lots of hard work behind it! They definitely have the talent required to take it to the next step.

See you in Asia!

reverser@put.as (fG!) — Mon, 25 Jun 2012 23:55:06 +0100

I will be presenting in Taiwan at HiTCON, and in Seoul at Secuinside. If you are there, come and say hi! I don’t bite. The HiTCON presentation will be focused on OS X malware and Secuinside about starting reversing adventures in OS X/iOS. While slides shouldn’t be the presentation main focus, I’m trying to make them usable for everyone outside the conferences. It’s not an easy task and the introduction to reversing is revealing itself much harder than I thought.

"Sandwich" CrackMe tutorial by qwertyoruiop

reverser@put.as (fG!) — Mon, 04 Jun 2012 23:54:25 +0100

This is a cracking and keygen tutorial by the reader qwertyoruiop. He’s having fun doing the crackmes and I asked him to write tutorials about them and he did it! So here it is the first in full glory. Things been quiet around here but busy in real life. I wanted to write a few posts about OS X malware but I’m going to present at a conference in July on that topic (hopefully something interesting!

A little social and economics experiment

reverser@put.as (fG!) — Mon, 16 Apr 2012 23:52:51 +0100

I have a passion for the Human brain and Human behavior and I love to experiment with anything. My birthday is near so it’s a good time to go forward with this idea. The starting point is that this blog is absolutely non-profit oriented and that status will remain forever – no banners, no donations, etc. I do it purely for fun, pleasure and knowledge improvement, altough it generates positive externalities (aka work!

How to compile GDB for iOS!

reverser@put.as (fG!) — Mon, 16 Apr 2012 23:50:43 +0100

One obstacle that I faced long time ago and came again into spotlight is how to recompile GDB for iOS. It is not useful to fix the ARM disassembler and then not be able to compile. As far as I know there isn’t any documentation available or an easy method to accomplish this – Saurik’s build environment is not public (?) and Apple sources do not compile directly. Darwinbuild project works great for OS X but it’s a question mark for iOS.

gdbinit v8.0: simultaneous support for x86/x86_64 and ARM architectures!

reverser@put.as (fG!) — Fri, 13 Apr 2012 23:49:51 +0100

Here it is, a merge between the x86 and ARM versions of gdbinit. The only inconvenience is that you need to manually change the target, using the 32bits and 64bits commands for x86/x86_64 architectures, and arm for ARM. That’s a small price to pay for. This version features a lot of cosmetic fixes (indentation mostly) but also some fixes to the ARM related code, and a new command – dumpmacho. This command will dump the Mach-O header to a file.

Dynamic Code Encryption in OS X: the crackme example!

reverser@put.as (fG!) — Sat, 17 Mar 2012 23:41:32 +0100

The title of this post is a partial rip-off of Dynamic Code Encryption as an Anti Dump and Anti Reverse Engineering measure blogpost. Alexey describes a technique similar to the one I used in my crackme, which isn’t altogether that new. His post is a good introduction to some possible attack vectors and what is at stake. You should give it a look. The crackme uses a multi-layer dynamic code encryption approach, with two different encryption algorithms (Rabbit and Salsa).

A small improvement to OS X “rootkitery”: bruteforcing sysent discovery, fast & easy!

reverser@put.as (fG!) — Tue, 14 Feb 2012 23:40:53 +0100

I love to read about the Human brain and yesterday I was feeling weird about this thing. As far as I know, everyone (publicly) was trying to search sysent in one way or another after Apple removed the sysent symbols but not bruteforcing it. It seems no one bothered to question the original method (Landon Fuller?) and just kept using it. Are there any historical reasons for this? I can’t remember any.

AV-monster: the monster that loves yummy OS X anti-virus software

reverser@put.as (fG!) — Mon, 13 Feb 2012 23:39:52 +0100

Welcome to another “silly” evil idea that abuses bad design decisions, bad implementations and lazyness. It is the last of my ideas in a state of semi-disclosure so let’s move it to full disclosure status. The full disclosure discussion will probably never end. There are too many interests at stake, mostly in opposite directions. For me it’s worrisome that (security) products are available with notorious design/implementation flaws which put customers at risk and fail on their purpose.

Obfuscation #2: Playing entrypoint hide & seek game with dyld

reverser@put.as (fG!) — Tue, 07 Feb 2012 23:38:18 +0100

Load command 9 cmd LC_UNIXTHREAD cmdsize 80 flavor i386_THREAD_STATE count i386_THREAD_STATE_COUNT eax 0x00000000 ebx 0x00000000 ecx 0x00000000 edx 0x00000000 edi 0x00000000 esi 0x00000000 ebp 0x00000000 esp 0x00000000 ss 0x00000000 eflags 0x00000000 eip 0x186b2662 cs 0x00000000 ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 This is from the header of my crackme and that entrypoint is a random value. When the entrypoint is the original and valid one, IDA is more or less smart and uses that information if the headers are mangled (just the offsets).

A little more fun with Mach-O headers: adding and spoofing a constructor

reverser@put.as (fG!) — Mon, 06 Feb 2012 23:36:35 +0100

The fun with Mach-O headers continues, this time with a “simple” trick to inject a new constructor and “spoofing” its location. It does not work in iOS (non-jb) and it will be killed if Apple decides to do things right and respect the specification, so let’s disclose it! Might be useful for some wannabe malware writer. I bet that OS X malware analysts are demanding some fun into their “boring” work time.

Anti-disassembly & obfuscation #1: Apple doesn’t follow their own Mach-O specifications?

reverser@put.as (fG!) — Thu, 02 Feb 2012 23:34:54 +0100

I smile when I think about this “feature”! I liked it so much that things got out of control and I wrote a crackme to show it. It happens because Apple doesn’t follow their own documentation/specification and the reversing tools of the trade do. The result is that IDA terminates, disassemblers output the wrong disassembly, strings are messed up, LLDB disassembles the wrong code (not GDB), class-dump will fail, and the reverser looks at a weird Mach-O header.

Anti-debug trick #1: Abusing Mach-O to crash GDB

reverser@put.as (fG!) — Tue, 31 Jan 2012 23:33:45 +0100

I developed this funny trick while trying to find a solution for a problem in a project. It is pretty easy to implement and fun. The trick consists in abusing the offset field in the dylib_command and pointing it to somewhere else. From the Mach-O File Format Reference document, the command structures are: struct dylib_command { uint_32 cmd; uint_32 cmdsize; struct dylib dylib; } struct dylib { union lc_str name; uint_32 timestamp; uint_32 current_version; uint_32 compatibility_version; } union lc_str { uint32_t offset; #ifndef __LP64__ char *ptr; #endif } The definition of the offset field is:

We have a crackme winner!!!

reverser@put.as (fG!) — Tue, 31 Jan 2012 23:32:57 +0100

This Sunday I received a valid keygen solution for my crackme. Congratulations to the reverser who wishes to remain anonymous. When the solution is available our brain stops thinking and goes into lazy mode. So, my question is when do you want to have me starting to explain some of the tricks used in that crackme? Right now? Next week? In a month? I did some questions to the keygen author to better understand his attack.

My first crackme... from hell, I hope :-)

reverser@put.as (fG!) — Tue, 24 Jan 2012 23:32:11 +0100

My first OS X crackme is finally ready, after a long wait and some unnecessary teasing. Ready means that it is good enough to be released and hopefully give you some trouble to reverse and crack it. I still have many more ideas to implement and some areas could be more polished – it was time to take an executive decision and freeze the code. There are some assumptions (economists love this term) due to the crackme nature – if it was an application more fun games could be played.

A Mac OS X port of Phrack’s CheckIDT util by kad, or another way to retrieve sysent address

reverser@put.as (fG!) — Tue, 10 Jan 2012 23:31:40 +0100

This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard. I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside.

gdbinit v7.4.4 – the skip command

reverser@put.as (fG!) — Tue, 10 Jan 2012 23:31:05 +0100

Here is a small update to gdbinit with a new command, skip. This command will skip over the current instruction, without executing it. Usually I do it manually by set $pc=newvalue but this involves copy & paste and mouse movements and gets boring after a while. It’s great to skip over calls while you are trying some stuff and analysing some program behavior. By default it will not execute the command at the new address.

Some comments about plugin-alliance.com protection...

reverser@put.as (fG!) — Mon, 09 Jan 2012 23:30:25 +0100

It sucks, sort of! Let me rewind to the beginning. I was very curious about this one because it was announced with great fanfare. I interpreted it as something more robust than it really is – maybe I was over enthusiastic with the “we know this will be cracked someday” sentence. Some brief comments: There are no anti-debug measures. There are no binary integrity protections – patch whatever you want! It has an annoying constant polling for the license file (I observed at least 5 hits per second – what a meaningless waste of CPU).

Merry Christmas, Happy New Year and some notes...

reverser@put.as (fG!) — Sun, 18 Dec 2011 23:28:48 +0100

Merry Christmas or whatever applies or not to your particular case, and much more important, Happy New Year! The world is messed up and it will probably get worse in 2012. Cheer up and be positive! Let me write some quick notes about some stuff: Take a look at Snare’s presentation about OS X Rootkits! Available at Papers section or here. Check out the fantastic Hopper disassembler and decompiler here or at the Mac App Store.

Evil iTunes Plugins from Hell

reverser@put.as (fG!) — Tue, 22 Nov 2011 23:27:31 +0100

Let me start this with some sort of disclaimer. I do not support/condone stealing credit card information, logins, and other personal information. Disclosing security issues is always a double edge sword and a tricky problem with some politics in the mix. This problem was reported almost 3 months ago to Apple. It’s still not fixed after, at least, two iTunes releases. I perfectly understand the business side of fixing bugs and how business most of the times must come first (I have experience in critical environments where these type of problems can cost a lot of money and bad publicity).

gdbinit v7.4.3

reverser@put.as (fG!) — Fri, 04 Nov 2011 23:26:55 +0100

A small update to gdbinit. Many thanks to snare and Plouj for their reports 😃. Here is the changelog: Version 7.4.3 (04/11/2011) – Modified “hexdump” command to support a variable number of lines (optional parameter). – Removed restrictions on type of addresses used in the “dd” command. – Modified the assemble command to support 64bits – You will need to recompile nasm since the version shipped with OS X doesn’t supports 64bits (www.

Display Mach-O headers plugin for IDA

reverser@put.as (fG!) — Thu, 03 Nov 2011 23:25:45 +0100

This is a simple plugin to display Mach-O headers inside IDA, something I miss from time to time. It was a good excuse to mess a little with IDA SDK. It’s not quite what I had initially in mind but it does the job. I was thinking about something more sophisticated such as allow to display only the segment you wanted and so on. Now I am not sure if it’s worth the effort.

How to create IDA C/C++ plugins with Xcode

reverser@put.as (fG!) — Mon, 31 Oct 2011 23:24:28 +0100

This is just a simple post about using Xcode to create IDA C/C++ plugins. Nothing fancy here. For great references about IDA SDK plugin writing check out The IDA Pro Book by Chris Eagle and binarypool.com tutorial. Xcode 3.2.6 is the reference version used. The resulting project loads and compiles without any issues into Xcode 4. Why not doing this in 4? Human brain is misterious (3.x still loads by default on my system).

Using OS X TrustedBSD framework to protect critical files

reverser@put.as (fG!) — Thu, 27 Oct 2011 23:23:31 +0100

And here we are with a few spare minutes! My baby girl is a little cute devil who, like me, isn’t very found of sleeping all the time. She’s taking a lot of my attention so mom can rest. Well, it’s time well spent while I still have lots of it. Let’s get back to business… There was some fuss around with the latest version of the so called Flashback.C OS X Trojan.

Poking around Sentinel HASP Envelope for Mac OS X :-)

reverser@put.as (fG!) — Thu, 13 Oct 2011 23:22:47 +0100

I am a sucker for all OS X anti-debug promises I can find. There are so few tricks available that I am always curious to see if there is something new in town. So I started poking around Sentinel HASP Envelope for OS X to see what they use to fool my dear debuggers. Well, we have the usual ptrace and sysctl tricks, a check for a kernel debugger (via kernel boot arguments), and, to my (good) surprise, one of the anti-debug tricks I discovered a few months ago.

A small rant about dongles: the developer who can’t correctly implement a HASP!

reverser@put.as (fG!) — Tue, 11 Oct 2011 23:21:45 +0100

Dongles always had something mistique about them. Before this new age of packers, cryptors, etc, they were the top target to beat. In practice, that fame was only real in a reduced set of applications that correctly implemented the dongle. Most dongle-protected software feature bad implementations. Developers don’t spend enough time in this area or think that it’s the magic bullet to solve their problems. This program is another fine example of this problem.

Fixes for the TrustedBSD backdoor – Rex the wonder dog v0.2

reverser@put.as (fG!) — Mon, 26 Sep 2011 23:21:08 +0100

I like things well done and the healthy discussion with snare about this topic remembered me this PoC was a bit incomplete. So I decided to close the missing gaps. The fix is pretty simple. Retrieve a new kauth credential with uid and gid equal to 0 and replace the old one (the code seems stable even without process locks). It also seems to work fine without the allproc lock. The backdoor also had a small “bug” that I didn’t noticed due to a coincidence.

Abusing OS X TrustedBSD framework to install r00t backdoors...

reverser@put.as (fG!) — Sun, 18 Sep 2011 23:20:12 +0100

While poking around OS X implementation of TrustedBSD to write the sandbox guide I had the idea of trying to abuse it for backdooring purposes. It’s kind of funny that something designed to protect can be so “easily” abused to install backdoors. This is not rocket science or a big breakthru post – I was just curious about the possibility to abuse the framework. You still need to find a way to install the kernel module!

4th anniversary...

reverser@put.as (fG!) — Wed, 14 Sep 2011 23:19:34 +0100

This blog is more or less 4 years old (the first draft post is from 2007/09/25)… Uau, time passed by quickly! Mistakes were made, valuable lessons were learnt, new tricks developed, knowledge improved, and most important, fun! I created this blog because there was so little public information about reversing in OS X. The act of sharing information and knowledge helps you in the research and learning process. Unfortunately I cannot share as much as I wanted to – the world is full of greed and stupidity (read Survival of the Stupidest) and someone will always misuse information.

Apple Sandbox Guide v1.0

reverser@put.as (fG!) — Wed, 14 Sep 2011 23:18:56 +0100

Here it is a version I consider good enough to come out of draft status. I have added more information – one thing I was especially interested was to match the available operations in the SBPL syntax with the system/kernel functions that they control. This helps to better understand what is the impact of each operation. Appendix B features the lazy IDC script I used to extract this information from the sandbox kernel module (then I had to match with XNU kernel sources).

Apple’s Sandbox Guide v0.1 – early draft release

reverser@put.as (fG!) — Sat, 03 Sep 2011 23:18:06 +0100

After quite a few hours typing and testing stuff, here it is a very early draft of my attempt to document Apple’s sandbox implementation. The most difficult part in writing technical documentation or business plans is to get the first draft more or less ready. It’s even worse when there’s not much information about the subject. But here it is something with already quite some significant content. In this draft I don’t like the writing style – it’s still very confuse and boring.

Using Apple’s sandbox feature for reversing purposes

reverser@put.as (fG!) — Tue, 30 Aug 2011 23:17:17 +0100

I was just messing with Apple’s sandbox implementation to see if it was possible to close a “vulnerability” in iTunes (more on that later after Apple answers my email) and decided to experiment with something that has been in my mind for a long time and never bothered to try. The idea is to use the sandbox feature to find, for example, hidden files that applications use for serial numbers, time limits, demo limits, etc, or to trace install scripts or malware.

Removing iTunes 10.4 m3u processing feature with a small loader

reverser@put.as (fG!) — Thu, 25 Aug 2011 23:16:28 +0100

I just discovered that iTunes 10.4 finally introduced support to load m3u files. If you are importing large quantities of MP3 archives like me then you probably will be very annoyed by the mess that iTunes 10.4 will make out of this – playlists will be created and a ugly mess will emerge (and takes longer to process). So it was time to try to remove this feature, which is curious since I always wanted this in iTunes, before I surrended myself to its way of managing MP3s.

Another patch for Apple’s GDB: the define/commands problem

reverser@put.as (fG!) — Sat, 20 Aug 2011 23:15:06 +0100

One known problem with Apple’s fork of open source software is their slowness in fixing vulnerabilities and bugs. GDB fork isn’t immune to this; it was forked around release 6.6 or something like that and lots of stuff isn’t kept in sync with GNU’s GDB version. The short story for this bug is that you can’t have a commands command inside a define command. This creates some problems for useful scripting.

How GDB disables ASLR in Mac OS X Lion

reverser@put.as (fG!) — Thu, 11 Aug 2011 23:14:09 +0100

This isn’t a rocket science post but more like some notes for future reference 😄. Lion finally introduces full ASLR and GDB has the possibility to disable that feature when analyzing target binaries. A new GDB setting was added, disable-aslr, which allows to enable or disable this feature. By default this feature appears to be enabled (I am just looking at GDB source code) and it’s set by the variable disable_aslr_flag configured at gdb/macosx/macosx-tdep.

gdbinit v7.4.2, Github and Twitter

reverser@put.as (fG!) — Thu, 11 Aug 2011 23:13:34 +0100

Hello, It seems like things are very quiet and I only push gdbinit updates. Well, I have been very busy with very interesting projects, most of which can’t see yet the “light of the day”. Need to find some time to fool around with some new stuff. It seems that VMprotect is coming to OS X and that is exciting news. I hope they finish it soon since I am curious about Mac specific implementation and tricks.

gdbinit v7.4

reverser@put.as (fG!) — Mon, 20 Jun 2011 23:12:34 +0100

Hello, Just posting a small update to gdbinit. A friend asked for colouring the registers changes as it happens in Ollydbg. I have enabled it by default (modify variable SHOWREGCHANGES if you don’t like it). I have also added a colour patch that Phillipe sent me – it will colour the 1st line of the disassembly (by default it’s off, modify variable SETCOLOUR1STLINE). Here it is a screenshot of both options enabled:

Added a new page, Papers & Presentations

reverser@put.as (fG!) — Wed, 01 Jun 2011 23:11:58 +0100

I have added a new page called Papers that contains papers & presentations related to OS X and iOS (reversing, hacking, exploitation) that I have floating around in my harddisks. It’s a work in progress since I have stuff spreaded everywhere! Please be gentle with any mirroring efforts 😉. Enjoy, fG!

A little vulnerability in The Heist iOS game or how to get (more) free Steam codes for Eets game!

reverser@put.as (fG!) — Wed, 25 May 2011 23:11:24 +0100

MacHeist released a great puzzle game called The Heist, promising a prize when you managed to open the safe. Since I am a sucker for puzzle games I bought it and gave a brief check on its code. There is a single url in the program and some references to SHA256, this being a good indicator that they thought a little about security. I started playing the game and finally opened the safe.

How to remove iPad/iPhone/iPod Touch encrypted backups password if you forgot it

reverser@put.as (fG!) — Mon, 09 May 2011 23:10:35 +0100

These last days I must be set on a Apple devices destruction mode. First I lost access to my MacBook while trying to increase its physical security – I configured it to boot from network and I lost all access to boot sequence commands. I think my model has an EFI bug because the security-mode set to full doesn’t ask for a password when I start/restart my laptop, only asks for password if I want to boot from other devices.

An interview with CrackZ and (incomplete) source code to Contract Killer "trainer"

reverser@put.as (fG!) — Sun, 24 Apr 2011 23:09:56 +0100

I just found a nice interview with CrackZ here. He nails the point that curiosity and intellectual challenge trumps above everything else but also demonstrates the process from not caring about the impact of his acts to something more “ethical”. His site is still one of the best resources for Windows reversing, especially regarding dongles. I have also decided to publish an incomplete version of my trainer for Contract Killer. I see that cheating is widespread so I think there’s not much impact from doing this.

Newsflash: How to fuck up 40 million USD – The New York Times paywall and its iPad app

reverser@put.as (fG!) — Fri, 01 Apr 2011 23:09:08 +0100

This will be a story in development, which is kinda of funny taking in account the target in question. I might be wrong on all this but my instinct is hinting me that I’m not. After the Contract Killer post I got very much interested in verifying these kind of implementations in other apps. This morning I had a flash into my mind about checking what happened with the NY Times app.

Hacking a freemium iOS app: Contract Killer … or unlimited play without spending a dime (or any other currency)

reverser@put.as (fG!) — Tue, 29 Mar 2011 23:08:29 +0100

Let me start this post with a little rant. The iPad is a great product but it’s full of “spyware” and that sucks big time. One might argue that it’s not spyware, it’s just sending bits of information. Well, for me it’s damn spyware because I’m not authorizing the apps to send any information, much less unique pieces of information that can identify you forever. I can’t even conceive why the enterprise world will adopt the iPad with these kind of problems.

Small update to gdbinit and to the website

reverser@put.as (fG!) — Mon, 07 Mar 2011 23:07:52 +0100

I decided to mess around with this blog template style sheets and use a better font and change some minor things. I added three new pages at the navigation bar – one with all available gdbinit files in this site, another for my GDB patches and a tag cloud (still have to tag old posts). I will also add a page with all source code published here. This small gdbinit update implements some fixes and a new command rint3 (check the file header for the changelog).

Update to GDB patches – fix for a "new" bug

reverser@put.as (fG!) — Mon, 21 Feb 2011 23:07:11 +0100

I was messing around with SoftwarePassport and Amit Singh’s tiny executable to find out why GDB doesn’t breakpoint in those two executables. I thought it was due to incomplete headers, but GDB can’t also breakpoint into nicertiny, which has the segment/section added (otool/otx problems can be fixed by manually adding the missing section – there is enough padding space in the header to do that so SoftwarePassport developers might want to fix that).

There’s a new protection in town, Software Passport, from the developers of Armadillo :-)

reverser@put.as (fG!) — Wed, 16 Feb 2011 22:58:27 +0100

A reader sent me the link for a new software protection package called Software Passport (here). This is from The Silicons Realms, the makers of Armadillo for Windows. Since I’m as curious as a cat, I started giving a quick look on it, to see if it has any interesting things related to anti-debugging and anti-disassembly. The good news is that there are some new tricks that I haven’t seen before, for example, GDB can’t trace the initial loader.

It’s not my war but...

reverser@put.as (fG!) — Tue, 15 Feb 2011 22:57:38 +0100

I just saw the following at MSJ and the reaction there is simply childish, to not digress much about it. The author of Remote Buddy leaves the post below, asking for them to stop distributing cracks on his software. As a response, tons of links with the crack are published and they start complaining about the price. I really hope that these guys one day get what they deserve, their works pirated or them exploited by their bosses and underpaid.

Universe’s best and legal Mac OS X reversing tutorial for newbies (or maybe not!)

reverser@put.as (fG!) — Sat, 12 Feb 2011 22:57:03 +0100

I have decided to re-release my beginners tutorial, this time based on a crackme, so it deserves the upgrade to Universe instead of World. It includes patching, serial fishing and a keygen. I have updated some errors that I found in the original tutorial. Reversing and breaking protections is a great hobby and fantastic knowledge to possess. The problem is that many abuse this and want to profit from it. I really don’t like not sharing knowledge because sharing also allows me to progress, seeking new challenges and learning new things.

Another update to gdbinit for iOS and ARM support to ptool.pl and offset.pl

reverser@put.as (fG!) — Thu, 03 Feb 2011 22:56:24 +0100

I have fixed some of the missing stuff in gdbinit for iOS. Now the jump conditions are displayed for ARM and Thumb modes and the stepo command is working for ARM and semi-working for Thumb (to be fixed in the next release). Also implemented minor cosmetic changes. The tools to show Mach-O header information and calculate offsets to be patched were also updated to support ARM binaries. Offset.pl is by default interactive (you can choose from the available architectures in the binary, if fat), and ptool.

Need help with code signing in iOS!

reverser@put.as (fG!) — Fri, 28 Jan 2011 22:55:51 +0100

Well this one is driving me crazy so better ask for some help before I fire the big guns and go commando mode with this. I’m trying to patch iOS apps so I can remove “spyware” and other stuff. Newest iOS versions require all code to be signed. This article by Saurik talks about 3 different ways to workaround this problem without a developer certificate (an idea that crossed my mind is to configure the kernel only to accept Apple’s certificates and my certificate, to avoid rogue stuff like worms [I have to see if code signing is effective against code injection for example]).

gdbinit v0.1 for iOS (iPad at least :-))

reverser@put.as (fG!) — Thu, 27 Jan 2011 22:55:09 +0100

I just finished porting gdbinit to iOS. The basic stuff is working except the stepo command (one of my favourites!), the Objective-C selector and showing what will happen with conditional branches (I have to see how to implement this since ARM instructions can be conditional). I have tested it on my iPad with GDB available from Cydia (it seems you can use Apple’s version) and it works, so it should give no special problems with other iOS devices.

How to make an iPad connect thru a ssh SOCKS proxy + iOS "spyware"

reverser@put.as (fG!) — Sat, 22 Jan 2011 22:53:38 +0100

These days I’ve been messing around with DTrace and the mach side of OS X kernel. I still have to figure out how to make DTrace helpful in reversing protections and other stuff – I’m talking about efficiency in finding the right spots and gathering information. It’s a very powerful tool for system administration but has some shortcomings regarding reversing. Today I was a bit tired due to lack of proper sleep time so I started messing with the iPad.

Why cracking the vast majority of Mac apps isn’t that sexy...

reverser@put.as (fG!) — Mon, 17 Jan 2011 22:52:04 +0100

I shouldn’t be posting this because the guy doesn’t deserve any traffic he might get by writing this. But it’s so funny that I cannot resist (yes, I’m weak). The blog post is called “I Can Crack Your App With Just A Shell (And How To Stop Me)” and it’s available here. I especially like his advice because it shows he doesn’t know nothing about protecting apps and I have the feeling on that second article he links being a complete ripoff from one or two articles around the web.

Reversing the exit(173) from the Mac App Store

reverser@put.as (fG!) — Sat, 15 Jan 2011 22:51:18 +0100

This will be a working in progress so this post might be updated a few times. As promised, a reader sent me the Mac App Store (MAS) validation guidelines (thank you again!) and I got curious about one detail, the exit(173). This guides states if application fails to validate the receipt because it’s not present, then it should exit with status 173. This status will be interpreted by the system and it will try to obtain a valid receipt – this is the reason why you see that message asking for Sign in when the receipt isn’t valid and you can see the email address of the guy who released that app to the wild.

The sad state of reverse engineering software/hardware protections

reverser@put.as (fG!) — Wed, 12 Jan 2011 22:50:35 +0100

I have just finished reading the legal papers served against Geohot regarding the PS3 jailbreaking/cracking/private keys/etc. It shows the sad state that we have reached into reverse engineering and society as a whole. It’s a fight between knowledge and profit, and in the middle there is a grey area called piracy. My passion for knowledge is very deep and I like to try to understand everything I can. I remember the day I had my Commodore Amiga 500 and someone sent me a disk with a special menu that I never saw before.

The Mac App Store... Security broken by design?

reverser@put.as (fG!) — Fri, 07 Jan 2011 22:48:20 +0100

The Mac App Store opened yesterday and a few hours after the web is already full of news about the hacking/cracking/defeat/whatever of the store. When I heard about the Mac App Store, I became curious about how it would handle the serial and other protections of normal applications. I had read an article/news that talked about no more serials since the App Store would handle that – this is logical since you pay first to download the application, so the payment problem is solved.

A semi-automated way to find sysent

reverser@put.as (fG!) — Sat, 27 Nov 2010 22:46:30 +0100

The original method to hijack sysent table was described by Landon Fuller and then Braden Thomas updated it to Snow Leopard due to new location and lack of nsysent symbol. Charlie Miller and Dino Dai Zovi at The Mac Hacker’s Handbook, have some code to try to automate this search for sysent. I never tried it before and today I decided to hack around it. It suffers from the problem of no nsysent symbol (is there a way to fix it?

A new GDB frontend and some pics from the past

reverser@put.as (fG!) — Mon, 11 Oct 2010 22:42:00 +0100

Hi, There is a new GDB Cocoa frontend in town courtesy of Kurt. It’s still in early stages but it’s always interesting to have people developing tools for OS X. Congrats to Kurt. You can contact him at kurt@osxdbg.co.cc for bug reporting! I also bring you two pics from an old HardLock dongle that I found while tidying up some drawers. It’s a parallel port HardLock Eye v4.1b, and it has like 8 years or more (can’t really remember heheh).

GDB anti-debug, Otool/otx anti-disassembly… It’s Challenge number 3 !!!

reverser@put.as (fG!) — Wed, 18 Aug 2010 17:59:27 +0100

Today I decided to give a look at Challenge #3 since it promised nasty tricks. Now that looks like a challenge and I love challenges! If you think this is a spoiler then stop reading and come back in a week or so. There is no solution for the challenge; I’m more interested in the “nasty” trick used and why the tools are failing. And I don’t need the Challenge itself to analyse this behavior since I can reproduce it with own code.

How to Keygen MSJ Kracking Challenge ’10 – Challenge #1

reverser@put.as (fG!) — Mon, 02 Aug 2010 17:58:28 +0100

The MBA is over and I’m enjoying my vacations to clear stuff from the Todo list, to read books, to play some games and to do other stuff. Today the MacSerialJunkies contest started and I decided to give it a go. It’s a very simple crackme with a small twist where you have to bruteforce a MD5 string. I had reversed the serial routine and was starting the bruteforce without thinking much about it (first attempts were by searching online MD5 hashes databases for the correspondent plaintext but no such luck).

Very small update...

reverser@put.as (fG!) — Tue, 08 Jun 2010 17:57:45 +0100

Hi! I just updated the crackmes with #5 from MSJ challenge and added a new tool for encrypting/decrypting apple encrypted binaries. I had planned to do this tool but it’s great that someone did it first! It’s good to see people developing tools for OS X, even if they are very simple. Thank you to the author and to the guy who pointed me to it and sent the crackme 😉.

Onyx the Black Cat v0.4 for Snow Leopard

reverser@put.as (fG!) — Mon, 24 May 2010 17:52:35 +0100

I had this one working for a long time but I hadn’t released it because I was trying to hijack fork and vfork calls. My objective was to introduce an int3 so I could attach the debugger to a selected process. At that time I suspected that VLOK was forking and I couldn’t debug the new process since follow on fork GDB function isn’t implemented in OS X (so this looks like a good idea for a protection 😉).

OS X Crackmes

reverser@put.as (fG!) — Fri, 21 May 2010 17:51:59 +0100

Hello, I have just added a page to collect crackmes for OS X. I have added the ones that I already had and some recommended from user comments. Since corruptfire.com seems down I cannot retrieve the other ones they had. If you have more crackmes please mail them to me so I can add them to the page. It would be nice to start having more crackmes developed for OS X.

gdbinit v7.3

reverser@put.as (fG!) — Fri, 16 Apr 2010 17:51:17 +0100

I was bored and decided to fix gdbinit to support 64 bit binaries. I had tried it before but the solution was a piece of crap (not that this one is much better). I was testing the registers to see if the binary was 32 or 64 bit. Now there is a default setting to 32 bit (change it if you want to default to 64 bit) and two commands, 32bits and 64bits to change between the two types of targets.

reverse.put.as is back in a new format...

reverser@put.as (fG!) — Fri, 09 Apr 2010 17:49:42 +0100

I have been thinking about this and how to get this blog back to life. My free time has been almost zero but I miss the motivation to put my brain to tinker and create new things to publish, because reversing and everything around it sometimes is a great relaxing activity for me. The last couple of days I had to revisit one of my favourite books ever, where it is written that “DO NOT COVET YOUR IDEAS: Give away everything you know, and more will come back to you.

Brief analysis of the VLOK protection

reverser@put.as (fG!) — Wed, 06 Jan 2010 14:55:50 +0100

I just finished my brief analysis on this protection and I have a very macro view about it and how to break it. If my gut is correct (if you have read Blink! you will trust your gut most of the times, if not go read it since it’s a great book) I can decrypt and run any game so I will not publish any detailed information about it. The protection is based on a keyfile that is sent to you after you register online.

A new util to process Mach-O binaries information (or a replacement to otool -l)

reverser@put.as (fG!) — Tue, 05 Jan 2010 17:46:21 +0100

For a long time I have been annoyed by the information displayed by otool -l because it mixes hexadecimal with decimal information. For example, offsets are displayed in decimal and relative to the CPU architecture in the fat binary. So I had to convert and calculate things by hand everytime I wanted to peek or modify something at the hex editor. HTE allows to see this information and even edit it, but it doesn’t support fat binaries (and I have to start it under iTerm to support the keyboard shortcuts – I didn’t want to waste time researching to get it to work with Terminal.

Happy new year and a small christmas gift!

reverser@put.as (fG!) — Sat, 26 Dec 2009 17:45:26 +0100

November was a pretty busy month with exams and assignments to be delivered. I have been having a lot of fun with the MBA since analysing financial statements is some kind of reverse engineering and I missed Economics stuff (I have a undergraduate degree in Economics). I really like to go outside the box for some time to gain new perspectives. Since the 1st term is finished, I decided to finally upgrade to Snow Leopard.

Snow Leopard impact into reverse engineering world...

reverser@put.as (fG!) — Thu, 29 Oct 2009 17:44:12 +0100

Some folks were complaining about problems with otx and Snow Leopard so I decided to boot my Snow Leopard install and give it a try… Well they were right since Snow Leopard compiles 64 bit binaries by default. otx v0.16b seems to have problems so you will need to download from the SVN and compile yourself the most recent version. If you try to follow the tutorial you will have problems because you will have 64 bit registers (rax instead eax, for example) so you need to adapt the tutorial.

Small gdbinit update...

reverser@put.as (fG!) — Sun, 11 Oct 2009 17:43:05 +0100

Things have been very quiet since the beginning of September… Well my MBA has started and my free time until now has been ZERO! It has been a fun but very busy ride and comeback to the world of economics. The first weeks are recruit like, pretty intensive with many assignments to be delivered. The recruit is now over and I should have more free time for playing again with reversing 😄.

GDB patches

reverser@put.as (fG!) — Wed, 26 Aug 2009 17:41:40 +0100

Here you have the patches I did for GDB: To fix problem with gdbinit To display raw bytes in x/i and disassemble commands To warn about possible number of sections anti-debug trick You can download a single patch for all changes or one for each individual change. A patched GDB binary for Intel only is available, if you trust my binaries (copy to /usr/libexec/gdb). PHP max upload size doesn’t let me add the patched source package (can’t change it due to its impact on others).

Anatomy of a GDB anti-debug trick part II: GDB isn’t alone!

reverser@put.as (fG!) — Wed, 26 Aug 2009 17:39:49 +0100

After having found the source of the GDB anti-debug trick, I started modifying GDB to work around the problem and fix the number of sections on the fly (it’s simple to calculate the real number of sections). I was coding on a long train trip and everything was going great… My hack worked and GDB fixed and loaded the file without a problem. Next step was to run the program but when I tried I had this surprise:

Reversing Pokerstars online poker client (I hope they aren’t from Vegas !!!)

reverser@put.as (fG!) — Thu, 20 Aug 2009 17:38:28 +0100

Today I bring you something from the old projects trunk. Like many other millions of people I enjoy playing online Texas Hold’em Poker. I started with Pokerstars three years ago, and after a while, diabolical ideas came to my head about reversing the client to have a peek into their communication protocol (what else were you expecting? I love to break things!). The project was on hold for a long time (started when Windows was my daily OS).

Anatomy of a GDB anti-debug trick

reverser@put.as (fG!) — Thu, 13 Aug 2009 17:36:08 +0100

Well, it seems this is the GDB post season! The past days have been dedicated to mess around with GDB source code and today I have what I think it’s a nice story to tell. After hacking off my old wish of having the disassembly raw bytes to be printed (like Ollydbg, Softice, IDA, otx, etc…) I was interested in trying to fix one anti-debug trick. This presentation by nemo shows an anti-debug trick that works against GDB and others.

Fix for Apple’s GDB bug or why Apple forks are bad...

reverser@put.as (fG!) — Mon, 10 Aug 2009 17:34:49 +0100

It’s not a breakthrough post but I finally found where the bug that messed up gdbinit is located. I got obsessed into this problem and started browsing GDB source code. I knew that the problem ocurred when the file or add-symbol commands were used. The difference from file to exec-file is that symbols are loaded so that was my starting point. This was more or less my flow: file -> file_command -> symbol_file_command -> symbol_file_add_main_1 -> symbol_file_add_name_with_addrs_or_offsets -> symbol_file_add_with_addrs_or_offsets -> symbol_file_add_with_addrs_or_offsets_using_objfile -> new_symfile_objfile -> clear_symtab_users -> clear_internalvars

Workaround for Apple’s GDB bug...

reverser@put.as (fG!) — Thu, 06 Aug 2009 17:33:54 +0100

I had unconsciously found the workaround a few months ago while hacking around Little Snitch with kernel debugging. To make things easier I had a small GDB script to call the debug kit macros and set all the variables that are the source of the problem with gdbinit. This was something I never thought about, just accepted it. Today, while answering to a comment, the connection was made inside my brain (I love how the brain works!

gdbinit 7.1.7 and some bla bla bla...

reverser@put.as (fG!) — Wed, 05 Aug 2009 17:32:17 +0100

Greetings ! For the past weeks I have been pretty much bored with any kind of reversing so all my projects are stopped. Today I decided to fix some bugs at gdbinit and the result is version 7.1.7. The assemble command is finally fixed, added some semi-useful commands and changed some colours. Nothing big 😄. Blackhat USA 2009 had a very interesting presentation about hacking Apple’s keyboard firmware updates. The paper and presentation are really very nice and create a very interesting attack vector.

A little disassembler for MPress packer...

reverser@put.as (fG!) — Thu, 23 Jul 2009 17:30:58 +0100

Since otool and otx can’t disassemble the packed binary, Andreas Gumundsson wrote a quick tool to do that job, using Udis86, a disassembler library for x86 and AMD64. Check the source to see the required compiler options. Example usage: $ ./disas -f mmpress.i386 -t macho | head -10 Found entrypoint inmemory address 0xd6b0 NCMDS 2 CMD 1 Looking in __MPRESS__v.1.21 Found entrypoint file offset 0x36b0 sub ebx, ebx mov edi, ebx call 0xd6b9 pop eax add eax, 0x27c Original source available here, and a local copy here.

How to dump a MPress packed binary...

reverser@put.as (fG!) — Wed, 22 Jul 2009 17:29:42 +0100

Someone at macserialjunkie board posted a problem with the mpress packer. Since packers are a pretty rare thing at OS X and I was bored, I decided to give it a quick look. The result is another tutorial about manually unpacking this kind of binary. It’s not hard and the packer isn’t that great. Objective-C binaries can be dumped but there is a problem with NIB references, I think. I was already investigating this problem with other dumping experiences.

A memory dumper for Apple crypted binaries! Hurray !!!

reverser@put.as (fG!) — Wed, 08 Jul 2009 17:27:47 +0100

Here it is, another example of my super l33t lame coding skills! This wonder code will decrypt an Apple crypted binary via memory dumping. Maybe direct decryption (based on Amit Singh code) would be easier and nicer, but I wanted to do it this way as a test and an exercise. The code has a lot of comments that should help you understand what is being done. Basically the trick is to load the binary and attach ptrace to it, and then dump using mach vm_read function.

How to dump an Apple protected binary

reverser@put.as (fG!) — Tue, 30 Jun 2009 17:26:19 +0100

From the department of useless stuff comes a simple trick… A few days ago, a reader sent me an email asking about obfuscated code, in what appeared to be Apple’s binary protection. I already knew this Amit Singh article, but never played with it. Since I’m very curious (I love cats but Onyx still doesn’t like me very much) and I’m messing around with dumping, I decided to give it a try.

"Removing" Apple code signing from a binary...

reverser@put.as (fG!) — Fri, 29 May 2009 14:47:55 +0100

A few months ago while discussing with some user about code signing (PTHPasteboard project), I had the idea to “revirgin” the code signed binary by removing the Mach-O LC_CODE_SIGNATURE command. As usual with my many ideas, I never explored that one, until today when I received an email asking about this idea. I decided to give it a try. My code is a simple Hello world, compiled for i386 only. After binary is compiled, I sign it with my test certificate and mark the process to be killed if code signing fails.

Cracking a Mac OS X Screensaver

reverser@put.as (fG!) — Thu, 16 Apr 2009 14:43:24 +0100

There are days I “hate” my obsessive and curious mind! The day I was checking Apple Just added downloads feed and found this nice screensaver is one of those. 3D Desktop Aquarium Screensaver (available at http://www.uselesscreations.com) grabbed my attention because it looks nice and I love fishes. As usual, I started poking around and decided I had to crack it because I never did a screensaver before. The result is another tutorial 😄.

A bunch of old tutorials...

reverser@put.as (fG!) — Tue, 07 Apr 2009 17:25:26 +0100

While cleaning my hard disk I have found a zip file with a few old Mac OS X cracking tuts. Most are for PPC but they are still useful for learning reversing techniques. Grab it here: tuts.zip (SHA1(tuts.zip)= 3a0e1729e811deb7b7e8e19e0d6a61c9e3831b84) My free time is almost zero since GMAT study is taking every second I have (well, Afro Samurai/The Godfather 2 are taking something too). A score higher than 700 is not an easy task.

Defeating Little Snitch and thinking about piracy...

reverser@put.as (fG!) — Fri, 27 Mar 2009 17:24:14 +0100

I have managed to bypass Little Snitch 3 hour limit with a one or two bytes patch (can’t remember and too lazy to check it now) three days after I had access to kernel debugging. A very well designed protection (at least it’s a pain to analyse) was defeated because there was a weak element (there is always at least one weak element) and I easily found it. I have emailed OBDev about this and asked if they would allow me to publish details.

Onyx The Black Cat v0.3

reverser@put.as (fG!) — Wed, 25 Mar 2009 17:23:10 +0100

Version 0.3 is here. A couple small bugs are fixed, module features can be controled via sysctl variables (enable or disable features) and code is split into different source files (it was a mess in a single file!). Tiger support is removed so it’s ready to work with Leopard 10.5.6. Check the README file for more info. As a bonus I discovered that DTrace equivalent to PT_DENY_ATTACH is P_LNOATTACH, and is bypassed due to our ptrace hijack.

Mach-O binary offset calculator

reverser@put.as (fG!) — Fri, 13 Mar 2009 17:21:30 +0100

I made a mistake in this tutorial! The way to calculate offsets to patch is wrong because I commited an inference error (analysed only a few binaries and assumed it to be correct). Found this while creating a program to calculate everything automatically. Check the code if you are interested in understanding how it’s done. Meanwhile I will update the tutorial… Without any further delays, I present you with Binary offset calculator.

Why is kernel debugging fun?

reverser@put.as (fG!) — Mon, 09 Mar 2009 14:32:55 +0100

Just look at this: I just got Little Snitch to keep working even with network filter being off (that should be equivalent to expired 3 hour trial). The game is still not over because only the Once button is working but it seems I have my entry point 😄. Little Snitch works by using a socket filter (Apple document here) installed when kernel module starts (Correction: Little Snitch kernel module is an IOKit driver and not a simple kernel extension).

Mac OS X Kernel debugging with VMware

reverser@put.as (fG!) — Thu, 05 Mar 2009 17:01:43 +0100

I love VMware (used it since its first releases) and I love it even more now 😄. Yesterday I had the not so crazy idea (and not original) to use VMware for Mac OS X kernel debugging because newest Little Snitch version seems to have a new anti-debug trick and I don’t have another Mac at hand. After some trial and error I managed to get it working, so let’s show how it’s possible.

Serial phishing tutorial !!! It’s hot hot hot ;)

reverser@put.as (fG!) — Mon, 23 Feb 2009 14:14:56 +0100

Hey, today is a slow day and I got a suggestion to write about serial phishing. Someone else suggest an easy target and here it is a tutorial about serial phishing. The target is a very easy one so you should be able to understand everything and practice your GDB skills a little more. Here are the files: serial-phishing.txt macdvix.dmg (SHA1(MacDviX.dmg)= 9eb463acff18d003c4a0d619171ce0cd93bc53e6) (Unfortunately I lost the installer and can’t find it on my backups 😦).

World’s best Mac OS X reversing tutorial for newbies (or maybe not!)

reverser@put.as (fG!) — Mon, 23 Feb 2009 14:10:20 +0100

Things are a bit slow around here. GMAT is taking most of my free time and day job been busy. Last week I had some free time and decided to take on this small project. By popular demand here it is, a long tutorial explaining how to reverse/crack a Mac OS X application, starting with tools (GDB and otx) and then a step by step of how to crack a time trial protection.

iWork/Photoshop Trojan or Botnet Binary found

reverser@put.as (fG!) — Thu, 22 Jan 2009 16:58:53 +0100

It seems there is a trojan or botnet binary for OS X in the wild. Some details available at http://ithreats.wordpress.com/2009/01/22/latest-os-x-threat-iworkservices/. The iWorkservices binary is available here: iWorkServices-trojan.zip A very quick and dirty strings dump and disassembly seems to show a trojan with botnet capabilities. There are references to p2p and that can be the main clue. There are no clear string references to a specific IP address or URL, which nowadays makes sense since most botnet use p2p features to contact the master nodes.

Gdbinit v7.1.6

reverser@put.as (fG!) — Wed, 21 Jan 2009 16:53:57 +0100

While searching the web for some GDB patches I stumbled upon this fix to assemble function from gdbinit by Tavis Ormandy (good work!). I modified it a little bit to work with Mac OS X. This function allows you to assemble directly (using nasm, Intel format) to running program or just output the correspondent opcodes for your assembly input. Type help assemble. Very useful to get the opcodes you need to patch the binary.

How to compile GDB and other Apple open source packages in Mac OS X

reverser@put.as (fG!) — Wed, 14 Jan 2009 16:50:39 +0100

I wanted to recompile GDB so I can modify its source and add some custom patches to enhance its output… Easier said than done! There’s not much information around about this and my first attempt was by downloading GDB source package from Apple and trying to compile it. Didn’t compile out of the box so I had to fix here and there and finally it compiled, but then it didn’t work.

Mailing list and IRC channel

reverser@put.as (fG!) — Mon, 05 Jan 2009 16:48:59 +0100

I forgot to mention this previously but there is a mailing list available at http://0x90.org/mailman/listinfo/xso and an IRC channel at irc.freenode.net, #osxre. It’s still a small community but more people are showing up and IRC is always a good communication tool. I’m not administrator of both, but YOU are invited to join 😄. fG!

More gdbinit addons!

reverser@put.as (fG!) — Wed, 31 Dec 2008 16:47:06 +0100

End of the year is slow and I was a bit inspired so I decided to hack around another features I was missing from gdbinit! First one is about conditional jump display. Original gdbinit doesn’t tell you what will be the decision that will be taken on a conditional jump. You must look at the flags and check that! Well… I can’t memorize this kind of stuff (in reality I can but it’s useless so I refuse to) and computers were created to automate tasks!

A lazy xmas gift or a lazy addon to gdbinit

reverser@put.as (fG!) — Mon, 29 Dec 2008 16:45:27 +0100

While I was messing with gdbinit three weeks ago, I added a small feature that displays the messages being sent to objc_msgSend. Usually I follow the otool or IDA dump and see what’s being sent, but that it’s not very practical! So I made a dirty hack with gdbinit so that information appears automatically into GDB window. It’s not very pretty, but gdbinit is very limited 😦. Example: gdb$ 0x00002bc5 in main () --------------------------------------------------------------------------[regs] EAX: 9FF43924 EBX: 00002B9D ECX: 9FF37B64 EDX: 00403250 o d I t S z a P c ESI: BFFFF8F4 EDI: BFFFF898 EBP: BFFFF838 ESP: BFFFF7F0 EIP: 00002BC5 CS: 0017 DS: 001F ES: 001F FS: 0000 GS: 0037 SS: 001F [001F:BFFFF7F0]----------------------------------------------------------[stack] BFFFF840 : 01 00 00 00 98 F8 FF BF - A0 F8 FF BF F4 F8 FF BF .

Apple’s GDB Bug?

reverser@put.as (fG!) — Fri, 28 Nov 2008 16:41:19 +0100

I was trying to add some features to gdbinit and I needed global variables. I already knew that feature wasn’t working on Mac OS X GDB and I was puzzled why it didn’t work. Some quick tests on a Linux box couldn’t reproduce the same behaviour so something is wrong with Apple’s GDB version. I finally found how it happens ! A very simple .gdbinit to test things would be:

What’s wrong in this picture?

reverser@put.as (fG!) — Fri, 21 Nov 2008 13:44:04 +0100

While browsing around http://www.apple.com/downloads to check for any interesting software (I really like the Featured 3rd party and latest software sections) I found this well designed CD burning app, Disco (http://www.discoapp.com). I really like their website design (I have a big passion for design although I can’t design anything myself) and decided to try their app since it fits two characteristics, well designed interface and a software protection! Hurray. Open it, bang, Little Snitch warns about connection attempt and a nice registration dialogue appears.

gdbinit version 7.0 (and 7.1)

reverser@put.as (fG!) — Wed, 19 Nov 2008 16:39:54 +0100

There is a new version of original +mammon gdbinit, 7.0 (available at http://truthix.dump.cz/files/.gdbinit). GDB version used by Apple has some problems with it (doesn’t recognize global variables outside each function) so it needed some fixes to work. I have changed the colors and removed the data window display (personally I don’t think it’s useful, edit define context and remove the comment for datawin). Grab it here: gdbinit If you want to see what was changed, just diff the two versions!

Onyx The Black Cat v0.2

reverser@put.as (fG!) — Sun, 16 Nov 2008 16:38:42 +0100

Here it is with support for Leopard and extended attributes. All calls related to extended attributes are traced and dumped to /var/log/system.log (I find it more useful than fs_usage for this specific calls). Check the .c file for options related to this. For Leopard support you need to edit the .c file and change the define. I’m still searching for a better way to detect Leopard or Tiger in XCode. Maybe a Makefile flag.

Extended attributes in Mac OS X and Remote Buddy

reverser@put.as (fG!) — Mon, 10 Nov 2008 13:38:38 +0100

I started working on Remote Buddy (http://www.iospirit.com) to test my module Onyx The Black Cat. Some encrypted files are stored in the hard disk (fs_usage is your friend) but even after deleting all of them, the program still had expired trial. GDB to the rescue! After finding the correct “entrypoint” (I call entrypoint to the correct address which helps you starting to understand or find what you are interested in) and reading lots of code (the code is “unoptimized”, probably to make our reversing job boring) I finally found the interesting call, getxattr.

Onyx The Black Cat v0.1 – Anti Anti-debug kernel module

reverser@put.as (fG!) — Thu, 30 Oct 2008 16:32:22 +0100

Here it is my crazy idea to create an anti anti-debug kernel module so reversing efforts get a little easier and faster against “hostile” code. This module will protect you against the classic PT_DENY_ATTACH trick and the sysctl debugger detection trick http://developer.apple.com/qa/qa2004/qa1361.html. For now it’s only compatible with Mac OS X Tiger v10.4.11. Soon I will make it compatible with Leopard. Grab the binaries here: onyx-the-black-cat.kext.v0.1.tgz. This is a small program to test the sysctl trick: antidebug.

The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler

reverser@put.as (fG!) — Fri, 17 Oct 2008 16:31:04 +0100

Excellent book! Recommended if you are into Reverse Engineering and not only IDA specific. Well written with lots of examples. Really enjoyed it. Well worth the money (and even cheaper if you use Amazon Market Place). I’m back with huge amounts of work so my reversing efforts are on a halt. Let’s see if things get calm again so I can try some ideas :-).

"Hacker" Challenge

reverser@put.as (fG!) — Thu, 25 Sep 2008 16:29:42 +0100

Hello, If you want to have some fun and maybe improve your security/reversing skills, you might try this site http://www.dareyourmind.net. It has some nice challenges in different fields (reversing is only for Windows, but hey you should be able to reverse anything!). Have fun !

PTHPasteboard 4.4.0! Generic Mac OS X protector is found?

reverser@put.as (fG!) — Wed, 10 Sep 2008 13:27:41 +0100

Beowulf pointed out to PTHPasteboard application protection looked very similar to You Control Desktops. This got me curious and so I started messing around with it. Facts: License file isn’t crypted like You Control Desktops Binaries don’t have integrity checks like You Control Desktops public.pem has a checksum like You Control Desktops (SHA1 is used) Function names are obfuscated like You Control Desktop Demo is requested via web, altough HTTPS is used instead HTTP Like You Control Desktops, there is a binary named Common Since protection is very similar we can try to conclude about the existence of a generic protector!

News...

reverser@put.as (fG!) — Mon, 08 Sep 2008 16:28:20 +0100

A peak of work and vacations results in no reversing for the past weeks :-(. I had some advances on Little Snitch and I will publish them soon. Blackhat USA 2008 had some interesting stuff related to Mac OS X. And older paper related to DTrace (I really need to install Leopard to start messing around with DTrace) and another about Mac OS X Rootkits (very interesting!): RE:Trace – Applied Reverse Engineering on OS X

Little Snitch continued or the broken nib files!

reverser@put.as (fG!) — Tue, 12 Aug 2008 11:13:46 +0100

Little Snitch is an awesome target to learn tons of stuff about Mac OS X. It’s a very worthy challenge and I’m loving it… I gave up on it for a while to read some stuff about IPC and mach messaging since I have strong clues it’s being used for Little Snitch components communication. Little Snitch uses threads and other stuff to make reversing much harder. One of my various reversing threads was to try to beat the 3 hour limit but I couldn’t find a good entry point to start tracing the network filter initialization.

Kernel module for syscall interception and fixing ptrace

reverser@put.as (fG!) — Wed, 06 Aug 2008 16:26:58 +0100

Landon Fuller http://landonf.bikemonkey.org/code/macosx created a kernel module to bypass the PTRACE_DENY_ATTACH “anti-debug” feature of Mac OS X. For the Tiger version he used a deprecated API, removed on Leopard. For Leopard he re-routes the ptrace syscall to his own version by patching the syscall table. Since Leopard version is more interesting because we can use it to re-route other interesting syscalls (for cases where DYLD_INSERT_LIBRARIES trick isn’t interesting to use), I fixed his great code to be used with Tiger.

Mac OS X Age of Empires III 1.0.4 NO CD patch

reverser@put.as (fG!) — Sat, 02 Aug 2008 11:08:12 +0100

Nozio NO CD patch is only for original version (1.0.0) so I did a little of binary diffing of his patch/a bit of debugging and found where the protection is on version 1.0.4. The following code makes the cd check: 00004f22 e8e9a80000 calll 0x0000f810 - call the cd check 00004f27 84c0 testb %al,%al 00004f29 7405 je 0x00004f30 - jump if no cd is present So the patching is very easy, just NOP that jump if equal call and that’s it.

Mac OS X Code injection

reverser@put.as (fG!) — Thu, 03 Jul 2008 16:24:13 +0100

While trying to reverse Little Snitch I needed to understand the concept of mach ports (since I suspect it’s used for communication between the userland programs and the kernel extension) and found some nice articles and code about code injection in Mac OS X. They are: Mach Star (old but interesting): https://github.com/rentzsch/mach_star Mach Inject and Mach Override (works for Intel!): http://guiheneuf.org/mach%20inject%20for%20intel.html Abusing Mach on Mac OS X: http://www.uninformed.org/?v=4&a=3&t=sumry http://guiheneuf.org/cross-task%20control%20on%20intel.html to enable the needed functions since they were made inactive since 10.

More Mac OS X anti-debugging

reverser@put.as (fG!) — Thu, 26 Jun 2008 16:19:20 +0100

Little Snitch is a program for which I was very curious to hack around and try to beat it’s protection. I had a feeling it would be a very nice challenge and I can say it didn’t disappointed me! The target is version 2.0.3, running on Tiger 10.4.11. First protection to be defeated was the “classical” PTRACE_DENY_ATTACH. You Control Desktops explains and has links to this protection. If we try to attach gdb to one Little Snitch process (it has at least 3) we get a segmentation fault, so this should be PTRACE_DENY_ATTACH “protection”.

How to bypass a protection with a single byte

reverser@put.as (fG!) — Tue, 24 Jun 2008 10:43:29 +0100

I was looking for a Post-it like program for Mac OS X (I don’t like Stickies!) and found this nice one, Edgies (available at http://www.oneriver.jp/Edgies/index_e.html). It has a very annoying register me protection which shows every few times you open/close a note. My first attempt to bypass this was to go after the serial registration routine (it’s located at RegistrationManager framework) but it appears to be too long and complicated to be worth the trouble.

Reversing You Control Desktops v1.2

reverser@put.as (fG!) — Mon, 17 Mar 2008 10:31:14 +0100

This is my first Mac OS X reversing tutorial. Target is You Control Desktops, which revealed itself a very nice target to reverse. Download the files below and I hope you learn something from it. There’s no interest whatsoever in piracy, but only in learning and improving things. What you do with this information is YOUR responsability. The keygen (and decrypt.c) make a nice example of OpenSSL API usage. Keygen is non working.

How to change /etc/hosts

reverser@put.as (fG!) — Sat, 02 Feb 2008 16:10:01 +0100

It’s useful to change /etc/hosts, especially with protections requesting online keys. After editing /etc/hosts you need to refresh OS X NetInfo Database. Just run the following command: $ sudo niload -v -m hosts . < /etc/hosts And then flush cache with: $ lookupd -flushcache For Snow Leopard the command has changed. It is now: $ dscacheutil -flushcache And that’s it!

Change network card MAC address

reverser@put.as (fG!) — Fri, 28 Dec 2007 16:08:33 +0100

Since there are programs with serial numbers tied to network card MAC address it might be useful to change it. There are some fancy GUI programs for this but it’s faster from terminal: # ifconfig en0 lladdr X:XX:XX:XX:XX:XX And that’s it…

GDB input radix option

reverser@put.as (fG!) — Thu, 18 Oct 2007 15:23:14 +0100

You can see code like this in GDB: 0x3001ce2b : movzx edx,BYTE PTR [ebp-80] <- 80 is decimal 0x3001ce2f : mov eax,DWORD PTR [ebx+0x206c2] <- 0x206c2 is hexadecimal If you try to do a x/x $ebp-80, you will get the wrong address because the default input radix is hexadecimal and not decimal. But in the next line, it’s hexadecimal. I haven’t searched much about this, but it seems the decimal is used due to alignment.

Must have tools

reverser@put.as (fG!) — Sun, 14 Oct 2007 14:58:02 +0100

A work in progress list… Otx – Graphical frontend for otool, the disassembler. http://otx.osxninja.com/ Burp Suite, Paros, Webscarab – web application assessment tools, including proxies (useful to sniff those online updates and registration schemes). http://research.corsaire.com/tools/ HexFiend – Hex Editor. http://ridiculousfish.com/hexfiend/

About

reverser@put.as (fG!) — Mon, 01 Jan 0001 00:00:00 +0000

Welcome ! This is my corner dedicated to reverse engineering, malware, rootkits, and security. Content is mostly dedicated to macOS. My objective is to learn more about macOS and spread knowledge about whatever I find. Pursuit of knowledge, not illegal stuff! Information can be used for good and for evil. If you are the copyright owner of any program/protection mentioned here and want the information removed please contact me. Contact information:

Crackmes

reverser@put.as (fG!) — Mon, 01 Jan 0001 00:00:00 +0000

A collection of crackmes for OS X. Send them to me if you have new ones to add! User submitted (keep’em coming!): CrackMe_nr1_qwertyoruiop.app.zip SHA256(CrackMe_nr1_qwertyoruiop.app.zip)= 9a09b12b29f5a76a70dcaa863f777eaceaba68e10d51e20df3ca213df4ac4fcc Nighthawk_CrackMe.zip SHA256(Nighthawk_CrackMe.zip)= 5b9005b954d7ac8da40883e5fa78b180ea90f3d526918b22ca9ee84db9b34ad6 nilbytesCrackMe.zip SHA256(nilbytesCrackMe.zip)= 22288b4038dc2044cd8bbb5b801c224fb55b2822fb4cbec1b4ed39bb9356b520 CrackMe.1.by.James.Moriarty.zip SHA256(CrackMe.1.by.James.Moriarty.zip)= 266059c011736754ba1548bca85a3b86393c946fabbae0163a735a5af0597470 cykeycrackme_1.app.zip SHA256(cykeycrackme_1.app.zip)= 6f7bc96cd8d774e71aa05cbb3c066f8be8ec78e5d917589b28c9f1e7a4708be5 From MSJ 2009 contest: MSJ2009#1.zip (SHA1(MSJ2009#1.zip)= ed1e7ef4cc2d64cedbdaa85757371be5dae3aecb) MSJ2009#2.zip (SHA1(MSJ2009#2.zip)= 47685aab5f43c064e4b24903f868df1100461ed7) MSJ2009#3.zip (SHA1(MSJ2009#3.zip)= 6eaa7a552ff16320465f40708c9a576bc2f45a51) MSJ2009#4.zip (SHA1(MSJ2009#4.zip)= 704fc7a23b05f923d46d83779aa21fb8e01b672a) MSJ2009#5.zip SHA1(MSJ2009#5.zip)= d658112201949386f025725f1582bf3ef5f73e6a From HAWKE (someone left the link in the comments, I haven’t tried them yet but the code seems safe):

Patches

reverser@put.as (fG!) — Mon, 01 Jan 0001 00:00:00 +0000

You can find all the patches included in the GDB-NG project at Github.com This is a quick reference page for all my published patches. GDB: all_patches_v0.3.patch.gz (SHA256(all_patches_v0.3.patch.gz)= 38a891327b14b94d73b7e6f5ef66b4848df03a59a8bac5e89b93869046078608) all_patches.patch (SHA1(all_patches.patch)= 74ee59cc213202d2d99c11ca8cde841890a7c7b6) number_sects_anti_debug.patch (SHA1(number_sects_anti_debug.patch)= 628498adc71b91447ba8860cec3829acf0eb7f46) gdbinit_problem.patch (SHA1(gdbinit_problem.patch)= efd8ab19d2675d601f02aa7f3b7ca21a9bee7704) show_raw_bytes.patch (SHA1(show_raw_bytes.patch)= 6ba57a401c1d3c0f6d7b31743da79ec63603752e) commands_bug.patch.gz (SHA256(commands_bug.patch.gz)= b84be03e73a5a5ada59ab8b7fbd595e531fe149446418750d5d747d6598aa6a0)