Reversing MacOSX

  • View
    217

  • Download
    0

Embed Size (px)

Text of Reversing MacOSX

  • 8/11/2019 Reversing MacOSX

    1/27

    Universe's best and legal Mac OS X reversing tutorial for newbies (or maybe not!)------------------------------------------------------------------------------(c) 2011 Fractal Guru (reverse AT put.as , http://reverse.put.as)

    Target: Macserialjunkie.com Cracking Challenge 09 #1Tools used: OTX, GDB, 0xED, gccPlatform: Mac OS X Leopard 10.6.5 @ Intel x86Document version: 0.1 (12/02/2011)

    Index:0 - Introduction1 - Building our toolkit2 - How to use our tools2.1 - OTX2.2 - GDB2.3 - Putting otx and gdb together3 - Reversing and cracking Challenge #13.0 - Introduction and workflow3.1 - Patching the binary3.2 - Fishing a valid serial number3.3 - Keygen4 - Conclusion

    0 - Introduction----------------Update from the original version:

    Reversing and breaking protections is a great hobby and fantastic knowledge to possess.The problem is that many abuse this and want to profit from it. I really don't like not sharingknowledge because sharing also allows me to progress, seeking new challenges and learning new things.I really hope that you make good use of this information and do not share your cracks with the world,especially in MSJ that is full of idiots just wanting to rip off others work. Do

    n't do that please.Don't make me regret once again releasing knowledge that may ease piracy!Enjoy the process, learn, get frustrated, and buy the apps if you really use them in your day to day.This tutorial is still based on 32bit binaries.

    Have fun,fG!

    ----

    One of the most difficult tasks is to write a tutorial for beginners. It's not an easy task

    so here's an attempt to create one that can launch people with some basic knowledge into theworld of reverse engineering (I consider cracking a subset of reverse engineering, and a veryuseful one as a learning platform).It's assumed you have basic x86 assembly knowledge (already too many good tutorials about this!).Some URLs:http://www.woodmann.com/crackz/Getstart.htmhttp://www.uc-forum.com/forum/programming-beginners/63947-reverse-engineering-be

  • 8/11/2019 Reversing MacOSX

    2/27

    ginners-guide-x86-assembly-and-debugging-windows-apps.htmlhttp://en.wikipedia.org/wiki/Assembly_language

    The term "function" will be used alot. If you know Objective-C or C++, you knowit's not entirelycorrect to use it. Method would be more correct in this context. But some partsof this tutorialcan be used to reverse other languages where the term function is correct. It shouldn't be a bigdeal for you to handle.

    A word of caution: reversing/cracking is about exploring and thinking. You should get used tothink and explore problems and find solutions for them. These days, Google and other searchengines are your main friend and they can make your task much easier ! Get usedto search, thinkand explore ! That's the beauty of Reverse Engineering, diving into the unknown!

    And now, let's start the fun !fG!

    1 - Building our toolkit

    --------------------------The first step is to build our reversing toolkit.For me, two tools are essential, a disassembler and a debugger (especially thisone!).There are three available disassemblers and two debuggers. In disassemblers we haveIDA Pro, Otool and OTX. IDA is the most famous and powerful but it's paid (there is a demoversion available (HexRays released a native OS X demo version!), and a warez version is around ofcourse) and it's expensive. If you are serious to RE field and can buy it, do it !

    If your company can buy it, ask them to buy it. It's worth the money!An excellent book about IDA is "The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler"by Chris Eagle. Buy it if you can (it's not that expensive and author deserves it!).The other two options are technically just one, since OTX is a frontend for Otool.OTX is available at: http://otx.osxninja.com/Otool is part of XCode, available at: http://developer.apple.com/ (open an account, it's free!)GDB is part of XCode, so you should download both. The available debuggers are GDB and IDA (the debugger is integrated with the dis

    assembler).GDB is free and part of XCode. This tutorial will use GDB since it's faster to use (because IDA uses remotedebugging, meaning you will need two machines to debug) and it's capable to do everything we needfor this tutorial and any future uses you may have.

    To make GDB even more easier to use, you should grab gdbinit. This is a script for GDB that willenhance it's output and has macros to make our work easier and faster.

  • 8/11/2019 Reversing MacOSX

    3/27

    Grab my modified version here: http://reverse.put.as/wp-content/uploads/2010/04/gdbinit73

    To install gdbinit, you will need to copy it into your home folder with the name ".gdbinit".

    For example, if you have downloaded the file gdbinit73 into your download folders, you can installit using Terminal.app with the following command:cp ~/Downloads/gdbinit73 ~/.gdbinit

    ~ in Unix means your home folder.

    There is a bug in Apple GDB version. You can read about it here: http://reverse.put.as/2008/11/28/apples-gdb-bug/It's annoying and not a big obstacle to our work, and it's useful to fix it.You might also want to give a look at http://reverse.put.as/2009/08/26/gdb-patches/ , which features other patches.

    The next tool is an Hex Editor. I use 0xEd, available at http://www.suavetech.com/0xed/0xed.html.Hex-Fiend is another good alternative (http://ridiculousfish.com/hexfiend/)

    You should be able to install everything without any problem.

    To resume, our basic reversing toolkit is composed of gdb, OTX/otool/IDA and 0xED/Hex-Fiend.

    2 - How to use our tools------------------------

    2.0 - Updating OTX------------------

    The binary version of OTX doesn't support 64bit binaries, so you should download the version from theSVN repository. The information is available here: http://otx.osxninja.com/subin

    fo.htmlYou will need XCode to compile the project.

    2.1 - OTX---------

    Run OTX and you will get the program window. We need to open the binary file wewant to disassemble.Open a Terminal.app windows (yes I really love Terminal, some things are done faster and better thru the command line) andgo to the folder where you have the Cracking Challenge #1 application.List all available files with "ls" command.You should see a folder named Challenge #1.app. This is our target.

    Mac OS X programs have a nice program structure, where everything (almost) is contained into a single folder.Using Challenge #1.app as an example, we have the following structure inside it:Challenge\ #1.app/Contents/Then we have the following folders:Info.plist MacOS PkgInfo Resources

    You can find the main binary inside the MacOS folder. This is where we should start.Frameworks folder (not present in this binary) might have interesting binaries t

  • 8/11/2019 Reversing MacOSX

    4/27

    o disassemble becausesome protections can reside there instead in the main binary.Listing the MacOS folder gives us:$ ls MacOS/Challenge #1

    Challenge #1 is the binary we want to disassemble. The full path is:Challenge\ #1.app/Contents/MacOS/Challenge #1

    Some information from the binary can be extracted with the "file" command or otool.To see if this is a fat binary (contains more than 1 architecture), you can usethe following command:$ file Challenge\ #1.app/Contents/MacOS/Challenge\ #1Challenge #1.app/Contents/MacOS/Challenge #1: Mach-O universal binary with 2 architecturesChallenge #1.app/Contents/MacOS/Challenge #1 (for architecture i386): Mach-O executable i386Challenge #1.app/Contents/MacOS/Challenge #1 (for architecture ppc): Mach-O executable ppc

    The equivalent otool command is:$ otool -h Challenge\ #1.app/Contents/MacOS/Challenge\ #1Challenge #1.app/Contents/MacOS/Challenge #1 (architecture i386):

    Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedface 7 3 0x00 2 19 2356 0x00000085Challenge #1.app/Contents/MacOS/Challenge #1 (architecture ppc):Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedface 18 0 0x00 2 17 2412 0x00000085

    So this binary contains two architectures, x86 32 bits and PowerPC.

    Let's try to disassemble the x86 version.Select Open File in OTX and select that binary. You should select x86 as processor (it's the default).

    You might change the output name or just leave the default. Click Save and select where to save (usuallyDesktop or select one folder dedicated to your reversing project to have thingsorganized).If you can also use the otx command line version (I have installed mine at /usr/local/bin).I usually use the following command "otx Challenge #1 >dump.txt".

    And voila, you have disassembled your first binary. Very simple ! The output file is the disassembled listing of theselected binary, and it will be our main guide into reversing the target.

    2.2 - GDB

    ---------Gdb is a very powerful debugger although not easy and not intuitive as Windows equivalents like OllyDbgor Softice (well, Softice as also text only).Nevertheless you can master it and do everything you should need for your RE projects.Let's give it a shot and introduce you the world of GDB !

    Just a little note on the commands to be used:

  • 8/11/2019 Reversing MacOSX

    5/27

    1) Commands issued inside gdb will always use the following prompt: gdb$2) Commands issued in a Terminal.app shell will always use the following prompt: shell$

    To learn gdb we are going to use a simpler target so we can understand the basic commands.You will need to compile the following program example.c:------------------- CUT HERE -----------------#include

    main(int argc, char *argv[]){ printf("Hello GDB!\n"); printf("Argument is: %s\n", argv[1]);}------------------- CUT HE

Search related