News...

A peak of work and vacations results in no reversing for the past weeks :-(. I had some advances on Little Snitch and I will publish them soon. Blackhat USA 2008 had some interesting stuff related to Mac OS X. And older paper related to DTrace (I really need to install Leopard to start messing around with DTrace) and another about Mac OS X Rootkits (very interesting!): RE:Trace – Applied Reverse Engineering on OS X...

September 8, 2008 · 1 min · 117 words · fG!

Little Snitch continued or the broken nib files!

Little Snitch is an awesome target to learn tons of stuff about Mac OS X. It’s a very worthy challenge and I’m loving it… I gave up on it for a while to read some stuff about IPC and mach messaging since I have strong clues it’s being used for Little Snitch components communication. Little Snitch uses threads and other stuff to make reversing much harder. One of my various reversing threads was to try to beat the 3 hour limit but I couldn’t find a good entry point to start tracing the network filter initialization....

August 12, 2008 · 3 min · 552 words · fG!

Kernel module for syscall interception and fixing ptrace

Landon Fuller http://landonf.bikemonkey.org/code/macosx created a kernel module to bypass the PTRACE_DENY_ATTACH “anti-debug” feature of Mac OS X. For the Tiger version he used a deprecated API, removed on Leopard. For Leopard he re-routes the ptrace syscall to his own version by patching the syscall table. Since Leopard version is more interesting because we can use it to re-route other interesting syscalls (for cases where DYLD_INSERT_LIBRARIES trick isn’t interesting to use), I fixed his great code to be used with Tiger....

August 6, 2008 · 1 min · 144 words · fG!

Mac OS X Age of Empires III 1.0.4 NO CD patch

Nozio NO CD patch is only for original version (1.0.0) so I did a little of binary diffing of his patch/a bit of debugging and found where the protection is on version 1.0.4. The following code makes the cd check: 00004f22 e8e9a80000 calll 0x0000f810 - call the cd check 00004f27 84c0 testb %al,%al 00004f29 7405 je 0x00004f30 - jump if no cd is present So the patching is very easy, just NOP that jump if equal call and that’s it....

August 2, 2008 · 1 min · 87 words · fG!

Mac OS X Code injection

While trying to reverse Little Snitch I needed to understand the concept of mach ports (since I suspect it’s used for communication between the userland programs and the kernel extension) and found some nice articles and code about code injection in Mac OS X. They are: Mach Star (old but interesting): https://github.com/rentzsch/mach_star Mach Inject and Mach Override (works for Intel!): http://guiheneuf.org/mach%20inject%20for%20intel.html Abusing Mach on Mac OS X: http://www.uninformed.org/?v=4&a=3&t=sumry http://guiheneuf.org/cross-task%20control%20on%20intel.html to enable the needed functions since they were made inactive since 10....

July 3, 2008 · 1 min · 86 words · fG!