A little more fun with Mach-O headers: adding and spoofing a constructor

The fun with Mach-O headers continues, this time with a “simple” trick to inject a new constructor and “spoofing” its location. It does not work in iOS (non-jb) and it will be killed if Apple decides to do things right and respect the specification, so let’s disclose it! Might be useful for some wannabe malware writer. I bet that OS X malware analysts are demanding some fun into their “boring” work time....

February 6, 2012 · 3 min · 594 words · fG!

Anti-disassembly & obfuscation #1: Apple doesn’t follow their own Mach-O specifications?

I smile when I think about this “feature”! I liked it so much that things got out of control and I wrote a crackme to show it. It happens because Apple doesn’t follow their own documentation/specification and the reversing tools of the trade do. The result is that IDA terminates, disassemblers output the wrong disassembly, strings are messed up, LLDB disassembles the wrong code (not GDB), class-dump will fail, and the reverser looks at a weird Mach-O header....

February 2, 2012 · 5 min · 1060 words · fG!

Anti-debug trick #1: Abusing Mach-O to crash GDB

I developed this funny trick while trying to find a solution for a problem in a project. It is pretty easy to implement and fun. The trick consists in abusing the offset field in the dylib_command and pointing it to somewhere else. From the Mach-O File Format Reference document, the command structures are: struct dylib_command { uint_32 cmd; uint_32 cmdsize; struct dylib dylib; } struct dylib { union lc_str name; uint_32 timestamp; uint_32 current_version; uint_32 compatibility_version; } union lc_str { uint32_t offset; #ifndef __LP64__ char *ptr; #endif } The definition of the offset field is:...

January 31, 2012 · 2 min · 399 words · fG!

We have a crackme winner!!!

This Sunday I received a valid keygen solution for my crackme. Congratulations to the reverser who wishes to remain anonymous. When the solution is available our brain stops thinking and goes into lazy mode. So, my question is when do you want to have me starting to explain some of the tricks used in that crackme? Right now? Next week? In a month? I did some questions to the keygen author to better understand his attack....

January 31, 2012 · 1 min · 109 words · fG!

My first crackme... from hell, I hope :-)

My first OS X crackme is finally ready, after a long wait and some unnecessary teasing. Ready means that it is good enough to be released and hopefully give you some trouble to reverse and crack it. I still have many more ideas to implement and some areas could be more polished – it was time to take an executive decision and freeze the code. There are some assumptions (economists love this term) due to the crackme nature – if it was an application more fun games could be played....

January 24, 2012 · 3 min · 456 words · fG!