A bunch of old tutorials...

While cleaning my hard disk I have found a zip file with a few old Mac OS X cracking tuts. Most are for PPC but they are still useful for learning reversing techniques. Grab it here: tuts.zip (SHA1(tuts.zip)= 3a0e1729e811deb7b7e8e19e0d6a61c9e3831b84) My free time is almost zero since GMAT study is taking every second I have (well, Afro Samurai/The Godfather 2 are taking something too). A score higher than 700 is not an easy task....

April 7, 2009 · 1 min · 76 words

Defeating Little Snitch and thinking about piracy...

I have managed to bypass Little Snitch 3 hour limit with a one or two bytes patch (can’t remember and too lazy to check it now) three days after I had access to kernel debugging. A very well designed protection (at least it’s a pain to analyse) was defeated because there was a weak element (there is always at least one weak element) and I easily found it. I have emailed OBDev about this and asked if they would allow me to publish details....

March 27, 2009 · 4 min · 678 words

Onyx The Black Cat v0.3

Version 0.3 is here. A couple small bugs are fixed, module features can be controled via sysctl variables (enable or disable features) and code is split into different source files (it was a mess in a single file!). Tiger support is removed so it’s ready to work with Leopard 10.5.6. Check the README file for more info. As a bonus I discovered that DTrace equivalent to PT_DENY_ATTACH is P_LNOATTACH, and is bypassed due to our ptrace hijack....

March 25, 2009 · 1 min · 97 words

Mach-O binary offset calculator

I made a mistake in this tutorial! The way to calculate offsets to patch is wrong because I commited an inference error (analysed only a few binaries and assumed it to be correct). Found this while creating a program to calculate everything automatically. Check the code if you are interested in understanding how it’s done. Meanwhile I will update the tutorial… Without any further delays, I present you with Binary offset calculator....

March 13, 2009 · 2 min · 333 words

Why is kernel debugging fun?

Just look at this: I just got Little Snitch to keep working even with network filter being off (that should be equivalent to expired 3 hour trial). The game is still not over because only the Once button is working but it seems I have my entry point 😄. Little Snitch works by using a socket filter (Apple document here) installed when kernel module starts (Correction: Little Snitch kernel module is an IOKit driver and not a simple kernel extension)....

March 9, 2009 · 1 min · 118 words