Posts

By serendipity I just noticed that this blog 18th birthday was four days ago! The first blogpost was on 14th October, 2007. Uau!!! It all started when I was job bored to death, bought my first MacBook (still have it!) and started cracking er… reversing stuff. At the time there wasn’t much RE information (and tooling) for Mac as there was for Windows. And then I decided to quit, take an MBA because why not, and then missed a whole new career in management because of cultural misunderstandings (turns out that emailing Asian companies telling their processes are wrong isn’t well accepted)....

The APT Down leak contained four code signing certificates and the passphrase only for the most recent one. Since the passphrase was found on the usual rockyou.txt wordlist, I was curious to see if the remaining three could be cracked using the same wordlist. I started this project by writing a small utility to decrypt the PVK key, as it could be easily tested with the known passphrase. The code appeared correct, but it wasn’t working....

This weekend two real hackers leaked the results of an hack to a possible APT linked to China and/or North Korea. Big hat tip and thanks to Saber and cyb0rg for disclosing such interesting material! The leak can be found here at Distributed Denial of Secrets. The Phrack article is included in the archive while Phrack #72 isn’t released online (come on people finish that CTF!). The authors describe some of the contents and ask for help analysing the rest of the contents....

I haven’t seen this trick in the wild (and couldn’t find any references) and I’m dumbfounded as to why I didn’t notice it before. I knew and used this feature a lot, but assumed that the underlying breakpoint was only set when the option was enabled (assumptions, assumptions…tss tss tss). The story starts with an upgrade to macOS 15.4. Given Apple’s recent software quality issues, it comes as no surprise that this update broke some custom debugger-related code I was using....

A few weeks ago, Copycat sent me an email asking if I knew anything about the TNT warez group macOS cracks. They were worried that the cracks could be used to leverage malware since TNT is (?) Russia based. Cyber war is real and this could be an interesting case to look at. These cracks are based on a dynamic library injection, with obfuscated code and anti-debugging measures. This of course triggered my curiosity since the usual anti-anti-debugging measures (ptrace & friends) weren’t working. Even more interesting, one of the cracked apps had pro-Ukraine related content that was modified, so it was a perfect target for malware. Even if malware free, what was behind the obfuscation and anti-debugging? ...