I started working on Remote Buddy (http://www.iospirit.com) to test my module Onyx The Black Cat. Some encrypted files are stored in the hard disk (fs_usage is your friend) but even after deleting all of them, the program still had expired trial. GDB to the rescue! After finding the correct “entrypoint” (I call entrypoint to the correct address which helps you starting to understand or find what you are interested in) and reading lots of code (the code is “unoptimized”, probably to make our reversing job boring) I finally found the interesting call, getxattr....

Here it is my crazy idea to create an anti anti-debug kernel module so reversing efforts get a little easier and faster against “hostile” code. This module will protect you against the classic PT_DENY_ATTACH trick and the sysctl debugger detection trick http://developer.apple.com/qa/qa2004/qa1361.html. For now it’s only compatible with Mac OS X Tiger v10.4.11. Soon I will make it compatible with Leopard. Grab the binaries here: onyx-the-black-cat.kext.v0.1.tgz. This is a small program to test the sysctl trick: antidebug....

Excellent book! Recommended if you are into Reverse Engineering and not only IDA specific. Well written with lots of examples. Really enjoyed it. Well worth the money (and even cheaper if you use Amazon Market Place). I’m back with huge amounts of work so my reversing efforts are on a halt. Let’s see if things get calm again so I can try some ideas :-).

Hello, If you want to have some fun and maybe improve your security/reversing skills, you might try this site http://www.dareyourmind.net. It has some nice challenges in different fields (reversing is only for Windows, but hey you should be able to reverse anything!). Have fun !

Beowulf pointed out to PTHPasteboard application protection looked very similar to You Control Desktops. This got me curious and so I started messing around with it. Facts: License file isn’t crypted like You Control Desktops Binaries don’t have integrity checks like You Control Desktops public.pem has a checksum like You Control Desktops (SHA1 is used) Function names are obfuscated like You Control Desktop Demo is requested via web, altough HTTPS is used instead HTTP Like You Control Desktops, there is a binary named Common Since protection is very similar we can try to conclude about the existence of a generic protector!...