Reverse Engineering

Anatomy of a GDB anti-debug trick

Well, it seems this is the GDB post season! The past days have been dedicated to mess around with GDB source code and today I have what I think it’s a nice story to tell. After hacking off my old wish of having the disassembly raw bytes to be printed (like Ollydbg, Softice, IDA, otx, etc…) I was interested in trying to fix one anti-debug trick. This presentation by nemo shows an anti-debug trick that works against GDB and others....

Fix for Apple’s GDB bug or why Apple forks are bad...

It’s not a breakthrough post but I finally found where the bug that messed up gdbinit is located. I got obsessed into this problem and started browsing GDB source code. I knew that the problem ocurred when the file or add-symbol commands were used. The difference from file to exec-file is that symbols are loaded so that was my starting point. This was more or less my flow: file -> file_command -> symbol_file_command -> symbol_file_add_main_1 -> symbol_file_add_name_with_addrs_or_offsets -> symbol_file_add_with_addrs_or_offsets -> symbol_file_add_with_addrs_or_offsets_using_objfile -> new_symfile_objfile -> clear_symtab_users -> clear_internalvars...

Workaround for Apple’s GDB bug...

I had unconsciously found the workaround a few months ago while hacking around Little Snitch with kernel debugging. To make things easier I had a small GDB script to call the debug kit macros and set all the variables that are the source of the problem with gdbinit. This was something I never thought about, just accepted it. Today, while answering to a comment, the connection was made inside my brain (I love how the brain works!...

gdbinit 7.1.7 and some bla bla bla...

Greetings ! For the past weeks I have been pretty much bored with any kind of reversing so all my projects are stopped. Today I decided to fix some bugs at gdbinit and the result is version 7.1.7. The assemble command is finally fixed, added some semi-useful commands and changed some colours. Nothing big 😄. Blackhat USA 2009 had a very interesting presentation about hacking Apple’s keyboard firmware updates. The paper and presentation are really very nice and create a very interesting attack vector....

A little disassembler for MPress packer...

Since otool and otx can’t disassemble the packed binary, Andreas Gumundsson wrote a quick tool to do that job, using Udis86, a disassembler library for x86 and AMD64. Check the source to see the required compiler options. Example usage: $ ./disas -f mmpress.i386 -t macho | head -10 Found entrypoint inmemory address 0xd6b0 NCMDS 2 CMD 1 Looking in __MPRESS__v.1.21 Found entrypoint file offset 0x36b0 sub ebx, ebx mov edi, ebx call 0xd6b9 pop eax add eax, 0x27c Original source available here, and a local copy here....