Thursday, April 16, 2009

Ode to 50cent

I was recently on a plane for a LONG, LONG time. For me this is roughly equivalent to putting a cat in a box and dangling it over water. I get bored easy and after watching all the television shows I had brought with me I decided to play with IDA and any unsuspecting binaries from my laptop that I randomly selected. While doing this I noticed iTunes kept crashing, predictably and reliably in the same place. I decided to use gdb to see what the hubbub was all about. However I got dissed and iTunes would not allow itself to be debugged.

This would not do. Not knowing anything about the anti-debugging capabilities of iTunes I decided the best way (and the laziest way) for a programmer to try and keep me from debugging is ptrace. I set a breakpoint on ptrace and tried it again. I got a nibble. I typed return, and then let iTunes continue on its way. It worked somewhat: it would continue but I was prompted over and over again to complete the same task and if I deleted the breakpoint iTunes would exit. I decided to modify ptrace to return immediately. I did so with the following command:

set *(int)ptrace = 0xc3

0xc3 translated to ret. After I did this I deleted the breakpoint and let iTunes go about its normal activity, or as 50cent would say, “sit back and let the money pile up.”

B00m, we have a crash.

Now I can examine the information from the crash and work on how exploitable the problem is. The exploitability is a post for another day; I just thought some folks could use a nifty trick if they found themselves in a jam.

(This post was written to 50cents “How to rob.” Also I typed some commands in gdb that produced errors becasue my regular alias file was not loaded.)

1 comment:

ReverendTurner said...

You had nothing better to do than run a debugger?!? Dude, you could have just called me @ $5 a minute and had a chat. :)

Holla back!