It’s not a breakthrough post but I finally found where the bug that messed up gdbinit is located. I got obsessed into this problem and started browsing GDB source code. I knew that the problem ocurred when the file or add-symbol commands were used. The difference from file to exec-file is that symbols are loaded so that was my starting point. This was more or less my flow: file -> file_command -> symbol_file_command -> symbol_file_add_main_1 -> symbol_file_add_name_with_addrs_or_offsets -> symbol_file_add_with_addrs_or_offsets -> symbol_file_add_with_addrs_or_offsets_using_objfile -> new_symfile_objfile -> clear_symtab_users -> clear_internalvars...

I had unconsciously found the workaround a few months ago while hacking around Little Snitch with kernel debugging. To make things easier I had a small GDB script to call the debug kit macros and set all the variables that are the source of the problem with gdbinit. This was something I never thought about, just accepted it. Today, while answering to a comment, the connection was made inside my brain (I love how the brain works!...

Greetings ! For the past weeks I have been pretty much bored with any kind of reversing so all my projects are stopped. Today I decided to fix some bugs at gdbinit and the result is version 7.1.7. The assemble command is finally fixed, added some semi-useful commands and changed some colours. Nothing big 😄. Blackhat USA 2009 had a very interesting presentation about hacking Apple’s keyboard firmware updates. The paper and presentation are really very nice and create a very interesting attack vector....

Since otool and otx can’t disassemble the packed binary, Andreas Gumundsson wrote a quick tool to do that job, using Udis86, a disassembler library for x86 and AMD64. Check the source to see the required compiler options. Example usage: $ ./disas -f mmpress.i386 -t macho | head -10 Found entrypoint inmemory address 0xd6b0 NCMDS 2 CMD 1 Looking in __MPRESS__v.1.21 Found entrypoint file offset 0x36b0 sub ebx, ebx mov edi, ebx call 0xd6b9 pop eax add eax, 0x27c Original source available here, and a local copy here....

Someone at macserialjunkie board posted a problem with the mpress packer. Since packers are a pretty rare thing at OS X and I was bored, I decided to give it a quick look. The result is another tutorial about manually unpacking this kind of binary. It’s not hard and the packer isn’t that great. Objective-C binaries can be dumped but there is a problem with NIB references, I think. I was already investigating this problem with other dumping experiences....