Reverse Engineering

How to compile GDB for iOS!

One obstacle that I faced long time ago and came again into spotlight is how to recompile GDB for iOS. It is not useful to fix the ARM disassembler and then not be able to compile. As far as I know there isn’t any documentation available or an easy method to accomplish this – Saurik’s build environment is not public (?) and Apple sources do not compile directly. Darwinbuild project works great for OS X but it’s a question mark for iOS....

gdbinit v8.0: simultaneous support for x86/x86_64 and ARM architectures!

Here it is, a merge between the x86 and ARM versions of gdbinit. The only inconvenience is that you need to manually change the target, using the 32bits and 64bits commands for x86/x86_64 architectures, and arm for ARM. That’s a small price to pay for. This version features a lot of cosmetic fixes (indentation mostly) but also some fixes to the ARM related code, and a new command – dumpmacho. This command will dump the Mach-O header to a file....

Dynamic Code Encryption in OS X: the crackme example!

The title of this post is a partial rip-off of Dynamic Code Encryption as an Anti Dump and Anti Reverse Engineering measure blogpost. Alexey describes a technique similar to the one I used in my crackme, which isn’t altogether that new. His post is a good introduction to some possible attack vectors and what is at stake. You should give it a look. The crackme uses a multi-layer dynamic code encryption approach, with two different encryption algorithms (Rabbit and Salsa)....

A small improvement to OS X “rootkitery”: bruteforcing sysent discovery, fast & easy!

I love to read about the Human brain and yesterday I was feeling weird about this thing. As far as I know, everyone (publicly) was trying to search sysent in one way or another after Apple removed the sysent symbols but not bruteforcing it. It seems no one bothered to question the original method (Landon Fuller?) and just kept using it. Are there any historical reasons for this? I can’t remember any....

AV-monster: the monster that loves yummy OS X anti-virus software

Welcome to another “silly” evil idea that abuses bad design decisions, bad implementations and lazyness. It is the last of my ideas in a state of semi-disclosure so let’s move it to full disclosure status. The full disclosure discussion will probably never end. There are too many interests at stake, mostly in opposite directions. For me it’s worrisome that (security) products are available with notorious design/implementation flaws which put customers at risk and fail on their purpose....