We have a crackme winner!!!

This Sunday I received a valid keygen solution for my crackme. Congratulations to the reverser who wishes to remain anonymous. When the solution is available our brain stops thinking and goes into lazy mode. So, my question is when do you want to have me starting to explain some of the tricks used in that crackme? Right now? Next week? In a month? I did some questions to the keygen author to better understand his attack....

January 31, 2012 · 1 min · 109 words

My first crackme... from hell, I hope :-)

My first OS X crackme is finally ready, after a long wait and some unnecessary teasing. Ready means that it is good enough to be released and hopefully give you some trouble to reverse and crack it. I still have many more ideas to implement and some areas could be more polished – it was time to take an executive decision and freeze the code. There are some assumptions (economists love this term) due to the crackme nature – if it was an application more fun games could be played....

January 24, 2012 · 3 min · 456 words

A Mac OS X port of Phrack’s CheckIDT util by kad, or another way to retrieve sysent address

This is a OS X port of kad’s checkidt utility featured at Phrack #59. It requires /dev/kmem to be active since task_for_pid on kernel task is prohibited since Snow Leopard. I have added an option to calculate the sysent address via the IDT. The code is not very fail proof because it uses the opcode hex values. Disassembly is probably a better option. This is just a PoC written some time ago so there are some ugly things inside....

January 10, 2012 · 1 min · 170 words

gdbinit v7.4.4 – the skip command

Here is a small update to gdbinit with a new command, skip. This command will skip over the current instruction, without executing it. Usually I do it manually by set $pc=newvalue but this involves copy & paste and mouse movements and gets boring after a while. It’s great to skip over calls while you are trying some stuff and analysing some program behavior. By default it will not execute the command at the new address....

January 10, 2012 · 2 min · 223 words

Some comments about plugin-alliance.com protection...

It sucks, sort of! Let me rewind to the beginning. I was very curious about this one because it was announced with great fanfare. I interpreted it as something more robust than it really is – maybe I was over enthusiastic with the “we know this will be cracked someday” sentence. Some brief comments: There are no anti-debug measures. There are no binary integrity protections – patch whatever you want! It has an annoying constant polling for the license file (I observed at least 5 hits per second – what a meaningless waste of CPU)....

January 9, 2012 · 2 min · 423 words