Tuesday, July 8, 2014

Mac protection

So, I spent some time studying the facilities built into OSX that would be used by loaders, decryptors, and the like as the basis of copy protection.  If you are used to protections on the PC under windows, then the Mac appears to be a dream come true for protection tourists.

I decided to try to implement a simple protection of the sort I detailed in a previous post.  It would be architected as follows:

A simple loader application would load a 2nd application in a suspended state, locate it's initial entry point, and remove the INT 3 ($CC) instruction that I had put there.  Once this was done, it would launch the app, and allow it to run.  (Which would simply print "Hello World", and exit).  An adequate proof of concept I thought.   Since OSX is BSD based, I could just use the POSIX stuff, right?  Start an app, use the apple extension to start it suspended, and then just go read/write the spawned applications memory.

That's where the problems started.  Evidently, there has been LOTS of activity on OSX with regards to trojans, rootkits, and the like.  These have forced Apple to lock up lots of avenues into the kernel, and they've sealed off lots of tools that you would need to do good things.  So, this means that most of the casual gaming protections I've seen on the Mac are shameful.  As I mention elsewhere on this blog, the preferred method appears to be this:  Make the loader, and license enforcer, 1 application, and it's the app that gets executed when you use the launcher.  The game's main executable is renamed, and/or hidden.  (Such tactics as its name starting with a ".", so that it's not shown when you ls the files in the bundle.  If it's not THAT technique, then it's "rename the executable to look like a data file".  Anyway, where this leads is that you 1st run the loader, and it verifies your license, and then it execs the game.  No in memory patching, NOTHING.  It just simply launches the game.  So, to crack these games, you just delete the loader, and rename the game to match what the loader used to be called.

I'll definitely be keeping my eye on Mac protections from now on, as this is somewhat fascinating to me!  Stop trojans, and malware, and also stop most protection methods.