Timac

  1. Dump decrypted mach-o apps

    In a previous post CryptedHelloWorld: App with encrypted mach-o sections, I created a simple macOS app CryptedHelloWorld with its (__TEXT, __text) section encrypted. The section is decrypted by a constructor function. This post explains how to dump the decrypted app. A common way is to attach the app with a debugger (GDB, LLDB) and manually dump the decrypted memory to disk. However I will use a different solution by using 2 techniques already presented in previous posts: a destructor function and code injection.
    [Read More]
  2. Mail.app plugin compatibility for macOS Sierra (10.12)

    Mail.app in macOS 10.11 and earlier used to check the plugins compatibility using the SupportedPluginCompatibilityUUIDs key in the plugin’s Info.plist. For example a Mail plugin would only be compatible with macOS 10.11.6 if its Info.plist contained the following: <key>SupportedPluginCompatibilityUUIDs</key> <array> <string>71562B89-0D90-4588-8E94-A75B701D6443</string> </array> Mail.app version 10.0 in macOS Sierra (10.12) now uses a different key to check the plugins compatibility. It now requires a key with the format Supported%ld.%ldPluginCompatibilityUUIDs where %ld.
    [Read More]
  3. CryptedHelloWorld: App with encrypted mach-o sections

    In a previous post ( constructor and destructor attributes ), I described the constructor attribute and mentioned software protection as a possible use case: A constructor attribute could be used to implement a software protection. You could encrypt your executable with a custom encryption and use a constructor function to decrypt the binary just before it is loaded. In this post I describe such a protection with an example.
    [Read More]
  4. constructor and destructor attributes

    GCC (and Clang) supports constructor and destructor attributes: __attribute__((constructor)) __attribute__((destructor)) Description A function marked with the __attribute__((constructor)) attribute will be called automatically before your main() function is called. Similarly a function marked with the __attribute__((destructor)) attribute will be called automatically after your main() function returns. You can find the GCC documentation here: constructor destructor The constructor attribute causes the function to be called automatically before execution enters main ().
    [Read More]
  5. Blowfish operations with key size longer than 448 bits in macOS 10.11.5 / iOS 9.3.2

    Until macOS 10.11.4 and iOS 9.3.1 CommonCrypto/corecrypto supported Blowfish operations with key sizes longer than 448 bits. Starting with macOS 10.11.5 and iOS 9.3.2 this is no longer the case: the minimum and maximum key sizes are now enforced (respectively kCCKeySizeMinBlowfish 8 bytes and kCCKeySizeMaxBlowfish 56 bytes). This is probably the fix for CVE-2016-1802: If you perform a Blowfish operation with a key length longer than 448 bits, it will now fail with an error kCCParamError.
    [Read More]
  6. State Preservation and Restoration Debug Logs

    The State Preservation and Restoration system is well documented here: Preserving Your App’s Visual Appearance Across Launches. But what is not well known is that there is a secret preference to enable debug logs. You can set the preference UIStateRestorationDebugLogging to YES in your main function before the call to UIApplicationMain: [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"UIStateRestorationDebugLogging"]; There is also a less useful ‘Developer Mode’ secret preference which will skip the deletion of the restoration archive when the app crashes.
    [Read More]
  7. Identifying the type of build (Build, Archive) at compile time in Xcode

    Let’s say you want to have a different behavior in your app depending on whether you build it in Xcode or you perform an Archive. And you want this behavior to be done at compile time. Note that the use of different configurations is not what is wanted. Here is a solution using the ACTION Xcode property build setting. This property is documented in the Xcode Build Setting Reference:
    [Read More]
  8. Programmatically lock the screen

    The Keychain Access application has a preference to display a “Lock Screen” menu item in the menubar: After enabling the checkbox Show keychain status in menu bar, this menu will appear in the menubar: This menu is located here: /Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain.menu and it is fairly easy to find the method -[AppleKeychainExtra _lockScreenMenuHit:]. That’s this simple! The method -[AppleKeychainExtra _lockScreenMenuHit:] simply calls the private method SACLockScreenImmediate from the Login private framework.
    [Read More]
  9. Disable swipe to delete in Mail.app on OS X 10.11

    OS X 10.11 ‘El Capitan’ added a new feature to Mail.app Swipe to manage your inbox: Swipe to manage your inbox. Now you can take care of your email with a swipe, just like on your iOS devices. Need to triage your inbox? Swipe right to mark an email as read or unread, or swipe left to delete. You’ll be focused on what’s important in no time. I find this new feature extremely annoying as I keep triggering it by accident.
    [Read More]
  10. Checking if Reduced Motion is enabled on iOS 7

    Apple introduced in iOS 7.0.3 a setting to reduce motion ( http://support.apple.com/kb/HT5595 ) : Settings -> General -> Accessibility -> Reduce Motion Sadly there is no public API to know if the user enabled “Reduce motion”. Here is how to get the value of this setting using a private API. Note that you should not use this code for applications submitted to the App Store. #include <dlfcn.h> + (BOOL) reduceMotionEnabled { BOOL (*_UIAccessibilityReduceMotionFunction)(void) = (BOOL (*)(void)) dlsym(RTLD_DEFAULT, "_UIAccessibilityReduceMotion"); if(_UIAccessibilityReduceMotionFunction !
    [Read More]