Landon Fuller http://landonf.bikemonkey.org/code/macosx created a kernel module to bypass the PTRACE_DENY_ATTACH “anti-debug” feature of Mac OS X. For the Tiger version he used a deprecated API, removed on Leopard. For Leopard he re-routes the ptrace syscall to his own version by patching the syscall table. Since Leopard version is more interesting because we can use it to re-route other interesting syscalls (for cases where DYLD_INSERT_LIBRARIES trick isn’t interesting to use), I fixed his great code to be used with Tiger....

Nozio NO CD patch is only for original version (1.0.0) so I did a little of binary diffing of his patch/a bit of debugging and found where the protection is on version 1.0.4. The following code makes the cd check: 00004f22 e8e9a80000 calll 0x0000f810 - call the cd check 00004f27 84c0 testb %al,%al 00004f29 7405 je 0x00004f30 - jump if no cd is present So the patching is very easy, just NOP that jump if equal call and that’s it....

While trying to reverse Little Snitch I needed to understand the concept of mach ports (since I suspect it’s used for communication between the userland programs and the kernel extension) and found some nice articles and code about code injection in Mac OS X. They are: Mach Star (old but interesting): https://github.com/rentzsch/mach_star Mach Inject and Mach Override (works for Intel!): http://guiheneuf.org/mach%20inject%20for%20intel.html Abusing Mach on Mac OS X: http://www.uninformed.org/?v=4&a=3&t=sumry http://guiheneuf.org/cross-task%20control%20on%20intel.html to enable the needed functions since they were made inactive since 10....

Little Snitch is a program for which I was very curious to hack around and try to beat it’s protection. I had a feeling it would be a very nice challenge and I can say it didn’t disappointed me! The target is version 2.0.3, running on Tiger 10.4.11. First protection to be defeated was the “classical” PTRACE_DENY_ATTACH. You Control Desktops explains and has links to this protection. If we try to attach gdb to one Little Snitch process (it has at least 3) we get a segmentation fault, so this should be PTRACE_DENY_ATTACH “protection”....

I was looking for a Post-it like program for Mac OS X (I don’t like Stickies!) and found this nice one, Edgies (available at http://www.oneriver.jp/Edgies/index_e.html). It has a very annoying register me protection which shows every few times you open/close a note. My first attempt to bypass this was to go after the serial registration routine (it’s located at RegistrationManager framework) but it appears to be too long and complicated to be worth the trouble....