Mac OS X Age of Empires III 1.0.4 NO CD patch

Nozio NO CD patch is only for original version (1.0.0) so I did a little of binary diffing of his patch/a bit of debugging and found where the protection is on version 1.0.4. The following code makes the cd check: 00004f22 e8e9a80000 calll 0x0000f810 - call the cd check 00004f27 84c0 testb %al,%al 00004f29 7405 je 0x00004f30 - jump if no cd is present So the patching is very easy, just NOP that jump if equal call and that’s it....

August 2, 2008 · 1 min · 87 words

Mac OS X Code injection

While trying to reverse Little Snitch I needed to understand the concept of mach ports (since I suspect it’s used for communication between the userland programs and the kernel extension) and found some nice articles and code about code injection in Mac OS X. They are: Mach Star (old but interesting): https://github.com/rentzsch/mach_star Mach Inject and Mach Override (works for Intel!): http://guiheneuf.org/mach%20inject%20for%20intel.html Abusing Mach on Mac OS X: http://www.uninformed.org/?v=4&a=3&t=sumry http://guiheneuf.org/cross-task%20control%20on%20intel.html to enable the needed functions since they were made inactive since 10....

July 3, 2008 · 1 min · 86 words

More Mac OS X anti-debugging

Little Snitch is a program for which I was very curious to hack around and try to beat it’s protection. I had a feeling it would be a very nice challenge and I can say it didn’t disappointed me! The target is version 2.0.3, running on Tiger 10.4.11. First protection to be defeated was the “classical” PTRACE_DENY_ATTACH. You Control Desktops explains and has links to this protection. If we try to attach gdb to one Little Snitch process (it has at least 3) we get a segmentation fault, so this should be PTRACE_DENY_ATTACH “protection”....

June 26, 2008 · 8 min · 1586 words

How to bypass a protection with a single byte

I was looking for a Post-it like program for Mac OS X (I don’t like Stickies!) and found this nice one, Edgies (available at http://www.oneriver.jp/Edgies/index_e.html). It has a very annoying register me protection which shows every few times you open/close a note. My first attempt to bypass this was to go after the serial registration routine (it’s located at RegistrationManager framework) but it appears to be too long and complicated to be worth the trouble....

June 24, 2008 · 2 min · 354 words

Reversing You Control Desktops v1.2

This is my first Mac OS X reversing tutorial. Target is You Control Desktops, which revealed itself a very nice target to reverse. Download the files below and I hope you learn something from it. There’s no interest whatsoever in piracy, but only in learning and improving things. What you do with this information is YOUR responsability. The keygen (and decrypt.c) make a nice example of OpenSSL API usage. Keygen is non working....

March 17, 2008 · 1 min · 182 words