Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch

The Fun's Begun

The world's first worm for 'Tiger' in the wild?


Return-Path: <balzor@enigma-security.net>
Received: (qmail 48 invoked from network); 19 May 2005 00:10:57 -0000
Received: from localhost (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; 19 May 2005 00:10:57 -0000
Mime-Version: 1.0 (Apple Message framework v622)
Message-Id: <0a465f3933d487e1ab0496cbbcb818de@enigma-security.net>
Content-Type: multipart/mixed; boundary=Apple-Mail-1-715295848
From: <balzor@enigma-security.net>
Date: Wed, 18 May 2005 17:10:49 -0700
X-Mailer: Apple Mail (2.622)
Content-Length: 14509


% otool -L Picture
Picture:
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 71.1.1)
%


00000023 8__PAGEZERO
0000005c __TEXT
0000008c __text
0000009c __TEXT
000000d0 __picsymbol_stub__TEXT
00000113 $__symbol_stub
00000124 __TEXT
00000158 __picsymbolstub1__TEXT
0000019b  __cstring
000001ac __TEXT
000001e8 __DATA
00000218 __data
00000228 __DATA
0000025c __la_symbol_ptr
0000026c __DATA
000002a0 __nl_symbol_ptr
000002b0 __DATA
000002e4 __dyld
000002f4 __DATA
00000328 __const
00000338 __DATA
0000036c __common
0000037c __DATA
000003b7 8__LINKEDIT
000003f4 /usr/lib/dyld
0000041c /usr/lib/libSystem.B.dylib
00000d00 }"Kx/
00000d3c }"Kx|
000014a3 x}%KxH
000015eb x}%Kx8
00001804 8c\ 8
00001d6c __dyld_mod_term_funcs
00001d84 __dyld_make_delayed_module_initializer_calls
00001db4 The kernel support for the dynamic linker is not present to run this program.
00001e04 /usr/bin/say
00001e14 You done got yourself pooned, BITCH.  You're in for a treat!
00001e54 HOME
00001e5c %s/Library/StartupItems
00001e74 %s/Picture
00001e88 %s/Library/InputManagers
00001ea4 %s/MailHack
00001eb0 %s/MailHack.bundle
00001ec4 %s/Contents
00001ed0 %s/MacOS
00001edc %s/Resources
00001eec %s/Library/InputManagers/MailHack/Info
00001f14 %s/Library/InputManagers/MailHack/MailHack.bundle/Contents/MacOS/MailHack
00001f60 %s/Library/InputManagers/MailHack/MailHack.bundle/Contents/Resources
         /InfoPlist.strings
00001fb8 %s/Library/InputManagers/MailHack/MailHack.bundle/Contents/Info.plist
00002043 H__TEXT
00002074 __text
00002084 __TEXT
000020b8 __picsymbol_stub__TEXT
000020fb $__picsymbolstub1__TEXT
0000213f  __cstring
00002150 __TEXT
0000218b H__DATA
000021bc __data
000021cc __DATA
00002200 __dyld
00002210 __DATA
00002244 __la_symbol_ptr
00002254 __DATA
00002288 __nl_symbol_ptr
00002298 __DATA
000022d4 __OBJC
00002304 __cat_cls_meth
00002314 __OBJC
00002348 __cat_inst_meth
00002358 __OBJC
0000238c __string_object
0000239c __OBJC
000023d0 __cstring_object__OBJC
00002414 __message_refs
00002424 __OBJC
00002458 __sel_fixup
00002468 __OBJC
0000249c __cls_refs
000024ac __OBJC
000024e0 __class
000024f0 __OBJC
00002524 __meta_class
00002534 __OBJC
00002568 __cls_meth
00002578 __OBJC
000025ac __inst_meth
000025bc __OBJC
000025f0 __protocol
00002600 __OBJC
00002634 __category
00002644 __OBJC
00002678 __class_vars
00002688 __OBJC
000026bc __instance_vars
000026cc __OBJC
00002700 __module_info
00002710 __OBJC
00002744 __symbols
00002754 __OBJC
0000278f 8__LINKEDIT
000027d8 /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0000282c /usr/lib/libSystem.B.dylib
00002e3b  com.apple.mail
00002e50 MessageEditor
00002e60 /Library/StartupItems/Picture
00002e80 HOME
00002e88 MailHack
00002e94 NSObject
00002ea0 /Users/admin/Desktop/src/MailHack/MailHack.m
00002ed0 NSBundle
00002edc NSNotificationCenter
00002ef4 NSString
00002f00 NSArray
00002f08 mailHacked_send:
00002f1c applicationDidFinishLaunching:
00002f3c load
00002f44 mainBundle
00002f50 bundleIdentifier
00002f64 isEqualTo:
00002f70 defaultCenter
00002f80 addObserver:selector:name:object:
00002fa4 send:
00002fac stringWithCString:
00002fc0 stringByAppendingString:
00002fdc arrayWithObject:
00002ff0 addFileWrappersForPaths:
0000300c v12@0:4@8
00003018 v8@0:4
00005910 __dyld_func_lookup
00005923 dyld_stub_binding_helper
0000593c __mh_bundle_header
0000594f .objc_category_name_NSObject_MailHack
00005975 .objc_class_name_MailHack
0000598f _MethodSwizzle
0000599e .objc_class_name_NSArray
000059b7 .objc_class_name_NSBundle
000059d1 .objc_class_name_NSConstantString
000059f3 .objc_class_name_NSNotificationCenter
00005a19 .objc_class_name_NSObject
00005a33 .objc_class_name_NSString
00005a4d _NSApplicationDidFinishLaunchingNotification
00005a7a _NSClassFromString
00005a8d __NSConstantStringClassReference
00005aae _class_getInstanceMethod
00005ac7 _getenv
00005acf _objc_msgSend
00005add dyld_lazy_symbol_binding_entry_point
00005b02 dyld__mh_bundle_header
00005b19 dyld_func_lookup_pointer
00005b32 /Users/admin/Desktop/src/MailHack/
00005b55 /Users/admin/Desktop/src/MailHack/MailHack.m
00005b82 gcc2_compiled.
00005b91 MethodSwizzle:F(0,1)=(0,1)
00005bac void:t(0,1)
00005bb8 aClass:p(0,2)=(0,3)=*(0,4)=xsobjc_class:
00005be1 orig_sel:p(0,5)=(0,6)=*(0,7)=xsobjc_selector:
00005c0f alt_sel:p(0,5)
00005c1e Class:t(0,2)
00005c2b objc_class:T(0,4)=s40isa:(0,3),0,32;super_class:(0,3),32,32;
         name:(0,8)=*(0,9)=k(0,10)=r(0,10);0;127;,64,32;
         version:(0,11)=r(0,11
00005cab );-2147483648;2147483647;,96,32;info:(0,11),128,32;instance_size:(0,11),160,32;
         ivars:(0,12)=*(0,13)=xsobjc_ivar_list:,192,32;met
00005d2b hodLists:(0,14)=*(0,15)=*(0,16)=xsobjc_method_list:,224,32;
         cache:(0,17)=*(0,18)=xsobjc_cache:,256,32;protocols:(0,19)=*(0,20)=xs
00005dab objc_protocol_list:,288,32;;
00005dc8 SEL:t(0,5)
00005dd3 char:t(0,10)
00005de0 long int:t(0,11)
00005df1 objc_ivar_list:T(0,13)=s16ivar_count:(0,21)=r(0,21);-2147483648;2147483647;,0,32;
         ivar_list:(0,22)=ar(0,23)=r(0,23);00000
00005e71 ;0037777777777;;0;0;(0,24)=xsobjc_ivar:,32,96;;
00005ea1 objc_method_list:T(0,16)=s20obsolete:(0,15),0,32;method_count:(0,21),32,32;
         method_list:(0,25)=ar(0,23);0;0;(0,26)=xsobjc_method:
00005f21 ,64,96;;
00005f2a objc_cache:T(0,18)=s12mask:(0,27)=r(0,27);00000;0037777777777;,0,32;
         occupied:(0,27),32,32;buckets:(0,28)=ar(0,23);0;0;(0
00005faa ,29)=(0,30)=*(0,26),64,32;;
00005fc6 objc_protocol_list:T(0,20)=s12next:(0,19),0,32;count:(0,21),32,32;
         list:(0,31)=ar(0,23);0;0;(0,32)=*(0,33)=xsProtocol:,64,32;;
00006044 int:t(0,21)
00006050 long unsigned int:t(0,34)=r(0,34);00000;0037777777777;
0000608f objc_ivar:T(0,24)=s12ivar_name:(0,35)=*(0,10),0,32;ivar_type:(0,35),32,32;
         ivar_offset:(0,21),64,32;;
000060f4 objc_method:T(0,26)=s12method_name:(0,5),0,32;method_types:(0,35),32,32;
         method_imp:(0,36)=(0,37)=*(0,38)=f(0,39)=(0,40)=*(0,41)=
00006174 xsobjc_object:,64,32;;
0000618b unsigned int:t(0,27)
000061a0 Method:t(0,29)
000061af IMP:t(0,36)
000061bb id:t(0,39)
000061c6 objc_object:T(0,41)=s4isa:(0,2),0,32;;
000061ed orig_method:(0,29)
00006200 alt_method:(0,29)
00006213 temp1:(0,35)
00006220 temp2:(0,36)
00006231 +[MailHack load]
00006242 +[MailHack load]:f(0,1)
0000625a self:p(0,40)
00006267 _cmd:p(0,6)
00006274 +[MailHack applicationDidFinishLaunching:]
0000629f +[MailHack applicationDidFinishLaunching:]:f(0,1)
000062d1 self:p(0,40)
000062de _cmd:p(0,6)
000062ea aNotification:p(0,42)=*(0,43)=xsNSNotification:
0000631a NSNotification:T(0,43)=s4isa:/1(0,2),0,32;;
00006347 -[NSObject(MailHack) mailHacked_send:]
0000636e -[NSObject(MailHack) mailHacked_send:]:f(0,1)
0000639c self:p(0,44)=*(0,45)=xsNSObject:
000063bd _cmd:p(0,6)
000063c9 identifier:p(0,39)
000063dc NSObject:T(0,45)=s4isa:/1(0,2),0,32;;
00006402 pathString:(0,46)=*(0,47)=xsNSString:
00006428 NSString:T(0,47)=s4isa:/1(0,2),0,32;;
0000644e myFilePath:(0,48)=*(0,49)=xsNSArray:
00006473 NSArray:T(0,49)=s4isa:/1(0,2),0,32;;
0000649b _OBJC_CLASS_MailHack:S(0,50)=xs_objc_class:
000064c7 _objc_class:T(0,50)=s48isa:(0,51)=*(0,50),0,32;super_class:(0,51),32,32;
         name:(0,35),64,32;version:(0,11),96,32;info:(0,11),128,3
00006547 2;instance_size:(0,11),160,32;ivars:(0,52)=*(0,53)=xs_objc_ivar_list:,192,32;
         methods:(0,54)=*(0,55)=xs_objc_method_list:,224,32;
000065c7 cache:(0,17),256,32;protocol_list:(0,56)=*(0,57)=*(0,58)=
         xs_objc_protocol:,288,32;sel_id:(0,59)=*(0,1),320,32;gc_object_type:(0,
00006647 59),352,32;;
00006654 _objc_protocol:T(0,58)=s20isa:(0,51),0,32;protocol_name:(0,35),32,32;
         protocol_list:(0,56),64,32;instance_methods:(0,60)=*(0,61)=
000066d4 xs_objc__method_prototype_list:,96,32;class_methods:(0,60),128,32;;
00006718 _OBJC_METACLASS_MailHack:S(0,50)
00006739 _OBJC_CLASS_REFERENCES_0:S(0,3)
00006759 _OBJC_SELECTOR_REFERENCES_0:S(0,6)
0000677c _OBJC_SELECTOR_REFERENCES_1:S(0,6)
0000679f _OBJC_SELECTOR_REFERENCES_2:S(0,6)
000067c2 _OBJC_CLASS_REFERENCES_1:S(0,3)
000067e2 _OBJC_SELECTOR_REFERENCES_3:S(0,6)
00006805 _OBJC_SELECTOR_REFERENCES_4:S(0,6)
00006828 _OBJC_SELECTOR_REFERENCES_5:S(0,6)
0000684b _OBJC_SELECTOR_REFERENCES_6:S(0,6)
0000686e _OBJC_SELECTOR_REFERENCES_7:S(0,6)
00006891 _OBJC_CLASS_REFERENCES_2:S(0,3)
000068b1 _OBJC_SELECTOR_REFERENCES_8:S(0,6)
000068d4 _OBJC_SELECTOR_REFERENCES_9:S(0,6)
000068f7 _OBJC_CLASS_REFERENCES_3:S(0,3)
00006917 _OBJC_SELECTOR_REFERENCES_10:S(0,6)
0000693b _OBJC_SELECTOR_REFERENCES_11:S(0,6)
0000695f _OBJC_CATEGORY_NSObject_MailHack:S(0,62)=xs_objc_category:
0000699a _objc_category:T(0,62)=s20category_name:(0,35),0,32;class_name:(0,35),32,32;
         instance_methods:(0,54),64,32;class_methods:(0,54),9
00006a1a 6,32;protocol_list:(0,56),128,32;;
00006a3d _OBJC_METH_VAR_NAME_0:S(0,63)=ar(0,23);0;16;(0,10)
00006a70 _OBJC_METH_VAR_TYPE_0:S(0,64)=ar(0,23);0;9;(0,10)
00006aa2 _OBJC_CATEGORY_INSTANCE_METHODS_NSObject_MailHack:S(0,55)
00006adc _OBJC_CLASS_NAME_0:S(0,65)=ar(0,23);0;8;(0,10)
00006b0b _OBJC_CLASS_NAME_1:S(0,66)=ar(0,23);0;8;(0,10)
00006b3a _OBJC_METH_VAR_NAME_1:S(0,67)=ar(0,23);0;30;(0,10)
00006b6d _OBJC_METH_VAR_NAME_2:S(0,68)=ar(0,23);0;4;(0,10)
00006b9f _OBJC_METH_VAR_TYPE_1:S(0,69)=ar(0,23);0;6;(0,10)
00006bd1 _OBJC_CLASS_METHODS_MailHack:S(0,55)
00006bf6 _OBJC_METH_VAR_NAME_3:S(0,70)=ar(0,23);0;10;(0,10)
00006c29 _OBJC_METH_VAR_NAME_4:S(0,71)=ar(0,23);0;16;(0,10)
00006c5c _OBJC_METH_VAR_NAME_5:S(0,72)=ar(0,23);0;10;(0,10)
00006c8f _OBJC_METH_VAR_NAME_6:S(0,73)=ar(0,23);0;13;(0,10)
00006cc2 _OBJC_METH_VAR_NAME_7:S(0,74)=ar(0,23);0;33;(0,10)
00006cf5 _OBJC_METH_VAR_NAME_8:S(0,75)=ar(0,23);0;5;(0,10)
00006d27 _OBJC_METH_VAR_NAME_9:S(0,76)=ar(0,23);0;18;(0,10)
00006d5a _OBJC_METH_VAR_NAME_10:S(0,77)=ar(0,23);0;24;(0,10)
00006d8e _OBJC_METH_VAR_NAME_11:S(0,78)=ar(0,23);0;16;(0,10)
00006dc2 _OBJC_METH_VAR_NAME_12:S(0,79)=ar(0,23);0;24;(0,10)
00006df6 _OBJC_CLASS_NAME_2:S(0,80)=ar(0,23);0;44;(0,10)
00006e26 _OBJC_CLASS_NAME_3:S(0,81)=ar(0,23);0;8;(0,10)
00006e55 _OBJC_CLASS_NAME_4:S(0,82)=ar(0,23);0;20;(0,10)
00006e85 _OBJC_CLASS_NAME_5:S(0,83)=ar(0,23);0;8;(0,10)
00006eb4 _OBJC_CLASS_NAME_6:S(0,84)=ar(0,23);0;7;(0,10)
00006ee4 <?xml version="1.0" encoding="UTF-8"?>
00006f0b <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
         "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
00006f7b <plist version="1.0">
00006f91 <dict>
00006f99 <key>BundleName</key>
00006fb0 <string>MailHack.bundle</string>
00006fd2 <key>LoadBundleOnLaunch</key>
00006ff1 <string>YES</string>
00007007 <key>LocalizedNames</key>
00007022 <dict>
0000702b <key>English</key>
00007040 <string>MailHack</string>
0000705b </dict>
00007064 <key>NoMenuEntry</key>
0000707c <string>YES</string>
00007091 </dict>
00007099 </plist>
000070a4 CFBundleName="MailHack";
000070c0 <?xml version="1.0" encoding="UTF-8"?>
000070e7 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
         "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
00007157 <plist version="1.0">
0000716d <dict>
00007175 <key>CFBundleDevelopmentRegion</key>
0000719b <string>English</string>
000071b5 <key>CFBundleExecutable</key>
000071d4 <string>MailHack</string>
000071ef <key>CFBundleIdentifier</key>
0000720e <string>fuck.you.MailHack</string>
00007232 <key>CFBundleInfoDictionaryVersion</key>
0000725c <string>6.0</string>
00007272 <key>CFBundlePackageType</key>
00007292 <string>BNDL</string>
000072a9 <key>CFBundleSignature</key>
000072c7 <string>????</string>
000072de <key>CFBundleVersion</key>
000072fa <string>1.0</string>
0000730f </dict>
00007317 </plist>
00008558 _InfoPlist
00008563 _InfoPlistStr
00008571 _NXArgc
00008579 _NXArgv
00008581 ___darwin_gcc3_preregister_frame_info
000085a7 ___progname
000085b3 __cplus_init
000085c0 __mh_execute_header
000085d4 __objcInit
000085df _catch_exception_raise
000085f6 _catch_exception_raise_state
00008613 _catch_exception_raise_state_identity
00008639 _clock_alarm_reply
0000864c _do_mach_notify_dead_name
00008666 _do_mach_notify_no_senders
00008681 _do_mach_notify_port_deleted
0000869e _do_mach_notify_send_once
000086b8 _do_seqnos_mach_notify_dead_name
000086d9 _do_seqnos_mach_notify_no_senders
000086fb _do_seqnos_mach_notify_port_deleted
0000871f _do_seqnos_mach_notify_send_once
00008740 _environ
00008749 _infoBuff
00008753 _mailhack
0000875d _main
00008763 _receive_samples
00008774 start
0000877a ___keymgr_dwarf2_register_sections
0000879d ___keymgr_global
000087ae __cthread_init_routine
000087c5 __dyld_register_func_for_add_image
000087e8 __dyld_register_func_for_remove_image
0000880e __init_keymgr
0000881c __keymgr_get_and_lock_processwide_ptr
00008842 __keymgr_set_and_unlock_processwide_ptr
0000886a _abort
00008871 _atexit
00008879 _bzero
00008880 _calloc
00008888 _chdir
0000888f _chmod
00008896 _errno
0000889d _execl
000088a4 _execv
000088ab _exit
000088b1 _fclose
000088b9 _fopen
000088c0 _fork
000088c6 _fread
000088cd _free
000088d3 _fseek
000088da _ftell
000088e1 _fwrite
000088e9 _getcwd
000088f1 _getenv
000088f9 _mach_init_routine
0000890c _mkdir
00008913 _remove
0000891b _rewind
00008923 _sprintf
0000892c _strcmp
00008934 _strlen
0000893c _strncat
00008945 _strncpy
0000894e _strrchr
00008957 _pointer_to_objcInit
0000896c _pointer_to__darwin_gcc3_preregister_frame_info
0000899c __call_mod_init_funcs
000089b2 dyld_lazy_symbol_binding_entry_point
000089d7 error_message
000089e5 dyld_func_lookup_pointer
000089fe __dyld_func_lookup
00008a11 __dyld_init_check
00008a23 __start
00008a2b dyld_stub_binding_helper
00008a44 _darwin_unwind_dyld_add_image_hook
00008a67 _darwin_unwind_dyld_remove_image_hook
About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.