A few months ago while discussing with some user about code signing (PTHPasteboard project), I had the idea to “revirgin” the code signed binary by removing the Mach-O LC_CODE_SIGNATURE command. As usual with my many ideas, I never explored that one, until today when I received an email asking about this idea. I decided to give it a try. My code is a simple Hello world, compiled for i386 only. After binary is compiled, I sign it with my test certificate and mark the process to be killed if code signing fails....

There are days I “hate” my obsessive and curious mind! The day I was checking Apple Just added downloads feed and found this nice screensaver is one of those. 3D Desktop Aquarium Screensaver (available at http://www.uselesscreations.com) grabbed my attention because it looks nice and I love fishes. As usual, I started poking around and decided I had to crack it because I never did a screensaver before. The result is another tutorial 😄....

While cleaning my hard disk I have found a zip file with a few old Mac OS X cracking tuts. Most are for PPC but they are still useful for learning reversing techniques. Grab it here: tuts.zip (SHA1(tuts.zip)= 3a0e1729e811deb7b7e8e19e0d6a61c9e3831b84) My free time is almost zero since GMAT study is taking every second I have (well, Afro Samurai/The Godfather 2 are taking something too). A score higher than 700 is not an easy task....

I have managed to bypass Little Snitch 3 hour limit with a one or two bytes patch (can’t remember and too lazy to check it now) three days after I had access to kernel debugging. A very well designed protection (at least it’s a pain to analyse) was defeated because there was a weak element (there is always at least one weak element) and I easily found it. I have emailed OBDev about this and asked if they would allow me to publish details....

Version 0.3 is here. A couple small bugs are fixed, module features can be controled via sysctl variables (enable or disable features) and code is split into different source files (it was a mess in a single file!). Tiger support is removed so it’s ready to work with Leopard 10.5.6. Check the README file for more info. As a bonus I discovered that DTrace equivalent to PT_DENY_ATTACH is P_LNOATTACH, and is bypassed due to our ptrace hijack....