There is a new version of original +mammon gdbinit, 7.0 (available at http://truthix.dump.cz/files/.gdbinit). GDB version used by Apple has some problems with it (doesn’t recognize global variables outside each function) so it needed some fixes to work. I have changed the colors and removed the data window display (personally I don’t think it’s useful, edit define context and remove the comment for datawin). Grab it here: gdbinit If you want to see what was changed, just diff the two versions!...

Here it is with support for Leopard and extended attributes. All calls related to extended attributes are traced and dumped to /var/log/system.log (I find it more useful than fs_usage for this specific calls). Check the .c file for options related to this. For Leopard support you need to edit the .c file and change the define. I’m still searching for a better way to detect Leopard or Tiger in XCode. Maybe a Makefile flag....

I started working on Remote Buddy (http://www.iospirit.com) to test my module Onyx The Black Cat. Some encrypted files are stored in the hard disk (fs_usage is your friend) but even after deleting all of them, the program still had expired trial. GDB to the rescue! After finding the correct “entrypoint” (I call entrypoint to the correct address which helps you starting to understand or find what you are interested in) and reading lots of code (the code is “unoptimized”, probably to make our reversing job boring) I finally found the interesting call, getxattr....

Here it is my crazy idea to create an anti anti-debug kernel module so reversing efforts get a little easier and faster against “hostile” code. This module will protect you against the classic PT_DENY_ATTACH trick and the sysctl debugger detection trick http://developer.apple.com/qa/qa2004/qa1361.html. For now it’s only compatible with Mac OS X Tiger v10.4.11. Soon I will make it compatible with Leopard. Grab the binaries here: onyx-the-black-cat.kext.v0.1.tgz. This is a small program to test the sysctl trick: antidebug....

Excellent book! Recommended if you are into Reverse Engineering and not only IDA specific. Well written with lots of examples. Really enjoyed it. Well worth the money (and even cheaper if you use Amazon Market Place). I’m back with huge amounts of work so my reversing efforts are on a halt. Let’s see if things get calm again so I can try some ideas :-).