Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Developers Workshop

Hacking Code Sign

Rabbit hole? And where's the protection? From the forum.


Get It

Try It

As always good ideas can come in one's sleep. I'll just lay this all out for you and let you draw your own conclusions. There are not many ways these conclusions can namely go. ;)

1. Make copy of CLIX.app: CLIX1.app.

2. Unilipo to native (i386) only. Result is binary 47824 bytes.

3. Make copy of CLIX1.app: CLIX2.app. Sign it. Result is binary 53248 bytes.

4. Apple say code signing adds only 1% to a binary. Code signing here adds 5424 bytes or 11.3415858146537% so they're off by a factor of 1000%. Whatever.

5. Compare the binaries with Rixcomp. There are twelve differences up to the 47824 boundary. [Rixcomp needs an export feature here. Ouch.] Offsets are in decimal (hex) and rest is in hex.

Offset        CLIX1    CLIX2
------        -----    -----
16 (10)       18       19
20 (14)       88       98
1696 (6a0)    d0       00
1697 (6a1)    0a       20
1704 (6a8)    d0       00
1705 (6a9)    0a       20
2980 (ba4)    00       1d
2984 (ba8)    00       10
2988 (bac)    00       d0
2989 (bad)    00       ba
2992 (bb0)    00       30
2993 (bb1)    00       15

6. Run otool -l on both binaries, save to text files, use FileMerge to compare the two text files. There are three differences.

A. In segname __LINKEDIT original vmsize is 0x00000ad0; vmsize in signed binary is listed as 0x00002000.

B. In segname __LINKEDIT original filesize is 2768; filesize in signed binary is listed as 8192.

C. There is an additional load command in the signed binary.

     cmd LC_CODE_SIGNATURE
 cmdsize 16
 dataoff 47824
datasize 5424

You'll notice the dataoff and datasize fields correspond directly to what we've previously calculated for original file size and size of code sign chunk added on. Of course the other differences directly correspond to the other differences found by Rixcomp as well. (Good homework assignment: check for yourself.)

7. Make a backup of the code signed binary as we're going to toy with it.

8. Verify that CLIX2 indeed runs. It does.

9. Open CLIX2 binary in HexFiend and change at least one byte. We choose to change the string constant at offset 0x7ef8 from 'Do you want to...' to 'Do you wish to...'. This preserves alignment so the binary will otherwise run.

10. Test run CLIX2. It does not run.

11. Now use HexFiend to change those twelve bytes listed earlier.

12. Now try running CLIX2 again. It still doesn't work!

13. Delete everything after offset 47824 and remove the CodeResources shite.

14. Compare binaries again. The only differences are the ones introduced in the string constant.

Offset          CLIX1    CLIX2
------          -----    -----
32512 (7f00)    a (61)   i (69)
32513 (7f01)    n (6e)   s (73)
32512 (7f02)    t (74)   h (68)

15. CLIX2 still doesn't run!

16. But a copy of the CLIX2 bundle does!

I performed this experiment 'live'. That is to say I was curious about the outcome but didn't know until I started this post and performed the experiment how it would turn out.

I think this proves that code signing can be relatively easily hacked.

Removing everything after 47824 and the CodeResources shite might not have been necessary. I'll leave that as an experiment (for homework) for others.

Something in the system was still aware the old non-copied CLIX2 had not worked and wasn't letting it run. Copying it and running the copy blew that protection right away.

Given adequate preparation and linkage editing tools it should be possible to remove code signing from any Apple OS X executable with the greatest of ease. And given the fact someone made this codesign tool to add gunk to binaries it should follow that someone can create a tool to remove it.

This is more and more a hall of mirrors - a case of seemingly falling down a rabbit hole but after being in free fall a while wondering if it's really a rabbit hole after all.

I've done a quick check of Apple's /Applications on 10.5 Leopard. The results I got show 232 file objects owned root:admin but marked with permissions 100775 - meaning any admin default account process can write to them. 128 of these appear to be real binaries.

232 items, 103238865 bytes, 202840 blocks, 0 bytes in extended attributes.

/Applications/Address Book.app/Contents/MacOS/Address Book
/Applications/Address Book.app/Contents/Resources/MailInviteBundle.bundle/Contents/MacOS/MailInviteBundle
/Applications/AppleScript/AppleScript Utility.app/Contents/MacOS/AppleScript Utility
/Applications/AppleScript/AppleScript Utility.app/Contents/Resources/AppleScriptUtility.scriptSuite
/Applications/AppleScript/AppleScript Utility.app/Contents/Resources/AppleScriptUtility.scriptTerminology
/Applications/AppleScript/AppleScript Utility.app/Contents/Resources/dummy.applescript
/Applications/AppleScript/AppleScript Utility.app/Contents/Resources/dummy.scpt
/Applications/AppleScript/AppleScript Utility.app/Contents/Resources/dummy.scptd/Contents/Resources/Scripts/main.scpt
/Applications/AppleScript/Folder Actions Setup.app/Contents/MacOS/Folder Actions Setup
/Applications/AppleScript/Folder Actions Setup.app/Contents/Resources/FolderActionsSetup.scriptSuite
/Applications/AppleScript/Folder Actions Setup.app/Contents/Resources/FolderActionsSetup.scriptTerminology
/Applications/AppleScript/Script Editor.app/Contents/MacOS/Script Editor
/Applications/AppleScript/Script Editor.app/Contents/PlugIns/DictionaryViewer.seplugin/Contents/MacOS/DictionaryViewer
/Applications/AppleScript/Script Editor.app/Contents/PlugIns/Library.seplugin/Contents/MacOS/Library
/Applications/AppleScript/Script Editor.app/Contents/PlugIns/ScriptManager.seplugin/Contents/MacOS/ScriptManager
/Applications/AppleScript/Script Editor.app/Contents/PlugIns/ScriptManager.seplugin/Contents/Resources/Scripts/About These Scripts.scpt
/Applications/AppleScript/Script Editor.app/Contents/PlugIns/ScriptManager.seplugin/Contents/Resources/Scripts/Open Scripts Folder.scpt
/Applications/AppleScript/Script Editor.app/Contents/Resources/SESuite.scriptSuite
/Applications/AppleScript/Script Editor.app/Contents/Resources/SESuite.scriptTerminology
/Applications/Automator.app/Contents/MacOS/Automator
/Applications/Automator.app/Contents/Resources/AMDocument.nib/.LSOverride
/Applications/Automator.app/Contents/Resources/AMLogView.nib/.LSOverride
/Applications/Automator.app/Contents/Resources/Application Stub.app/Contents/MacOS/Application Stub
/Applications/Calculator.app/Contents/MacOS/Calculator
/Applications/Calculator.app/Contents/PlugIns/BasicAndSci.calcview/Contents/MacOS/BasicAndSci
/Applications/Calculator.app/Contents/PlugIns/Hexadecimal.calcview/Contents/MacOS/Hexadecimal
/Applications/Chess.app/Contents/MacOS/Chess
/Applications/Chess.app/Contents/Resources/sjeng.ChessEngine
/Applications/Dashboard.app/Contents/MacOS/Dashboard
/Applications/Dictionary.app/Contents/MacOS/Dictionary
/Applications/Dictionary.app/Contents/SharedSupport/DictionaryPanel.app/Contents/MacOS/DictionaryPanel
/Applications/DVD Player.app/Contents/MacOS/DVD Player
/Applications/Expose.app/Contents/MacOS/Expose
/Applications/Font Book.app/Contents/MacOS/Font Book
/Applications/Front Row.app/Contents/MacOS/Front Row
/Applications/iCal.app/Contents/MacOS/iCal
/Applications/iCal.app/Contents/Resources/currentTimeIndicator.png
/Applications/iCal.app/Contents/Resources/iCalDockExtra.bundle/Contents/MacOS/iCalDockExtra
/Applications/iCal.app/Contents/Resources/Inspector Button Left Pressed.png
/Applications/iCal.app/Contents/Resources/Inspector Button Left.png
/Applications/iCal.app/Contents/Resources/Inspector Button Middle Pressed.png
/Applications/iCal.app/Contents/Resources/Inspector Button Middle.png
/Applications/iCal.app/Contents/Resources/Inspector Button Right Pressed.png
/Applications/iCal.app/Contents/Resources/Inspector Button Right.png
/Applications/iCal.app/Contents/Resources/List Box Bottom Left.png
/Applications/iCal.app/Contents/Resources/List Box Bottom Middle.png
/Applications/iCal.app/Contents/Resources/List Box Bottom Right.png
/Applications/iCal.app/Contents/Resources/List Box Middle Left.png
/Applications/iCal.app/Contents/Resources/List Box Middle Middle.png
/Applications/iCal.app/Contents/Resources/List Box Middle Right.png
/Applications/iCal.app/Contents/Resources/List Box Top Left.png
/Applications/iCal.app/Contents/Resources/List Box Top Middle.png
/Applications/iCal.app/Contents/Resources/List Box Top Right.png
/Applications/iCal.app/Contents/Resources/Nobo Button Inactive Left Press.png
/Applications/iCal.app/Contents/Resources/Nobo Button Inactive Left.png
/Applications/iCal.app/Contents/Resources/Nobo Button Inactive Middle Press.png
/Applications/iCal.app/Contents/Resources/Nobo Button Inactive Middle.png
/Applications/iCal.app/Contents/Resources/Nobo Button Inactive Right Press.png
/Applications/iCal.app/Contents/Resources/Nobo Button Inactive Right.png
/Applications/iCal.app/Contents/Resources/Nobo Button Left Pressed.png
/Applications/iCal.app/Contents/Resources/Nobo Button Left.png
/Applications/iCal.app/Contents/Resources/Nobo Button Middle Pressed.png
/Applications/iCal.app/Contents/Resources/Nobo Button Middle.png
/Applications/iCal.app/Contents/Resources/Nobo Button Right Pressed.png
/Applications/iCal.app/Contents/Resources/Nobo Button Right.png
/Applications/iCal.app/Contents/Resources/Status_Busy.png
/Applications/iCal.app/Contents/Resources/Status_Busy_Selected.png
/Applications/iCal.app/Contents/Resources/Status_Free.png
/Applications/iCal.app/Contents/Resources/Status_Free_Selected.png
/Applications/iCal.app/Contents/Resources/Status_Malformed.png
/Applications/iCal.app/Contents/Resources/Status_Offline.png
/Applications/iCal.app/Contents/Resources/Status_Unknown.png
/Applications/iCal.app/Contents/Resources/Status_Unknown_Dark.png
/Applications/iCal.app/Contents/Resources/Status_Unknown_Selected.png
/Applications/iCal.app/Contents/Resources/WhiteGradient.png
/Applications/iChat.app/Contents/MacOS/iChat
/Applications/iChat.app/Contents/PlugIns/Balloons.transcriptstyle/Contents/MacOS/Balloons
/Applications/iChat.app/Contents/PlugIns/Boxes.transcriptstyle/Contents/MacOS/Boxes
/Applications/iChat.app/Contents/PlugIns/Compact.transcriptstyle/Contents/MacOS/Compact
/Applications/iChat.app/Contents/PlugIns/FileTransferAtom.plugin/Contents/MacOS/FileTransferAtom
/Applications/iChat.app/Contents/PlugIns/PersonIcon.plugin/Contents/MacOS/PersonIcon
/Applications/iChat.app/Contents/PlugIns/Text.transcriptstyle/Contents/MacOS/Text
/Applications/Image Capture.app/Contents/MacOS/Image Capture
/Applications/iSync.app/Contents/MacOS/iSync
/Applications/iSync.app/Contents/MacOS/sync-tool
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/MacOS/ApplePhoneConduit
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-s60v1.sis
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-s60v1.srz
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-s60v2.sis
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-s60v2.srz
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-s60v22.sis
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-s60v22.srz
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-uiqv1.sis
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-uiqv1.srz
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-uiqv1r1.sis
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Agents/AppleSyncAgent-uiqv1r1.srz
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/Formatter.bundle/Contents/MacOS/Formatter
/Applications/iSync.app/Contents/PlugIns/ApplePhoneConduit.syncdevice/Contents/Resources/iSyncSchema.syncschema/Contents/MacOS/iSyncSchema
/Applications/iSync.app/Contents/PlugIns/PalmSyncConduit.syncdevice/Contents/MacOS/PalmSyncConduit
/Applications/iTunes.app/Contents/Frameworks/InternetUtilities.bundle/Contents/MacOS/InternetUtilities
/Applications/iTunes.app/Contents/Frameworks/iPodUpdater.framework/Versions/A/iPodUpdater
/Applications/iTunes.app/Contents/Frameworks/iPodUpdater.framework/Versions/A/Resources/UpdaterBackEnd
/Applications/iTunes.app/Contents/MacOS/iShite
/Applications/iTunes.app/Contents/Resources/iTunesHelper.app/Contents/MacOS/iTunesHelper
/Applications/Mail.app/Contents/MacOS/Mail
/Applications/Mail.app/Contents/MailTimeMachineHelper.app/Contents/MacOS/MailTimeMachineHelper
/Applications/Mail.app/Contents/MailTimeMachineHelper.app/Contents/Resources/English.lproj/MTMWindow.nib/.LSOverride
/Applications/Mail.app/Contents/PlugIns/MailWebPlugIn.bundle/Contents/MacOS/MailWebPlugIn
/Applications/Mail.app/Contents/PlugIns/ToDoPlugIn.bundle/Contents/MacOS/ToDoPlugIn
/Applications/Photo Booth.app/Contents/MacOS/Photo Booth
/Applications/Photo Booth.app/Contents/Resources/0.png
/Applications/Photo Booth.app/Contents/Resources/1.png
/Applications/Photo Booth.app/Contents/Resources/2.png
/Applications/Photo Booth.app/Contents/Resources/3.png
/Applications/Photo Booth.app/Contents/Resources/4.png
/Applications/Photo Booth.app/Contents/Resources/5.png
/Applications/Photo Booth.app/Contents/Resources/6.png
/Applications/Photo Booth.app/Contents/Resources/7.png
/Applications/Photo Booth.app/Contents/Resources/8.png
/Applications/Photo Booth.app/Contents/Resources/9.png
/Applications/Photo Booth.app/Contents/Resources/BrightRed.png
/Applications/Photo Booth.app/Contents/Resources/countdown-4up-1.png
/Applications/Photo Booth.app/Contents/Resources/countdown-4up-2.png
/Applications/Photo Booth.app/Contents/Resources/countdown-4up-3.png
/Applications/Photo Booth.app/Contents/Resources/DarkRed.png
/Applications/Photo Booth.app/Contents/Resources/eb_left_arrow.png
/Applications/Photo Booth.app/Contents/Resources/eb_right_arrow.png
/Applications/Photo Booth.app/Contents/Resources/movie.png
/Applications/Photo Booth.app/Contents/Resources/movieBtn_red_inactive.png
/Applications/Photo Booth.app/Contents/Resources/movieBtn_red_norm.png
/Applications/Photo Booth.app/Contents/Resources/Printings/DefaultPrintingThumbnail.png
/Applications/Photo Booth.app/Contents/Resources/redlight.png
/Applications/Photo Booth.app/Contents/Resources/scroll_left_disabled.png
/Applications/Photo Booth.app/Contents/Resources/scroll_right_disabled.png
/Applications/Photo Booth.app/Contents/Resources/SliderCenter.png
/Applications/Photo Booth.app/Contents/Resources/SliderHUDCenter.png
/Applications/Photo Booth.app/Contents/Resources/SliderHUDLeftCap.png
/Applications/Photo Booth.app/Contents/Resources/SliderHUDRightCap.png
/Applications/Photo Booth.app/Contents/Resources/SliderLargeIcon.png
/Applications/Photo Booth.app/Contents/Resources/SliderLeftCap.png
/Applications/Photo Booth.app/Contents/Resources/SliderRightCap.png
/Applications/Photo Booth.app/Contents/Resources/SliderSmallIcon.png
/Applications/Photo Booth.app/Contents/Resources/SliderThumb.png
/Applications/Photo Booth.app/Contents/Resources/tray_back_left_active.png
/Applications/Photo Booth.app/Contents/Resources/tray_back_left_inactive.png
/Applications/Photo Booth.app/Contents/Resources/tray_back_middle_active.png
/Applications/Photo Booth.app/Contents/Resources/tray_back_middle_inactive.png
/Applications/Photo Booth.app/Contents/Resources/tray_back_right_active.png
/Applications/Photo Booth.app/Contents/Resources/tray_back_right_inactive.png
/Applications/Preview.app/Contents/MacOS/Preview
/Applications/QuickTime Player.app/Contents/Frameworks/DotMacKit.framework/Versions/A/DotMacKit
/Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
/Applications/QuickTime Player.app/Contents/PlugIns/AnnotationInspector.propPane/Contents/MacOS/AnnotationInspector
/Applications/QuickTime Player.app/Contents/PlugIns/AudioSettingsInspector.propPane/Contents/MacOS/AudioSettingsInspector
/Applications/QuickTime Player.app/Contents/PlugIns/DataRefInspector.propPane/Contents/MacOS/DataRefInspector
/Applications/QuickTime Player.app/Contents/PlugIns/HintTrackInspector.propPane/Contents/MacOS/HintTrackInspector
/Applications/QuickTime Player.app/Contents/PlugIns/NetworkInspector.propPane/Contents/MacOS/NetworkInspector
/Applications/QuickTime Player.app/Contents/PlugIns/SettingsInspector.propPane/Contents/MacOS/SettingsInspector
/Applications/QuickTime Player.app/Contents/PlugIns/VisualTrackInspector.propPane/Contents/MacOS/VisualTrackInspector
/Applications/QuickTime Player.app/Contents/Resources/QTPlayerHelper
/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/Resources/TabClose.png
/Applications/Safari.app/Contents/Resources/TabClose_Pressed.png
/Applications/Safari.app/Contents/Resources/TabClose_Rollover.png
/Applications/Safari.app/Contents/SafariSyncClient.app/Contents/MacOS/SafariSyncClient
/Applications/Spaces.app/Contents/MacOS/Spaces
/Applications/Stickies.app/Contents/MacOS/Stickies
/Applications/System Preferences.app/Contents/MacOS/System Preferences
/Applications/TextEdit.app/Contents/MacOS/TextEdit
/Applications/Time Machine.app/Contents/MacOS/Time Machine
/Applications/Utilities/Activity Monitor.app/Contents/MacOS/Activity Monitor
/Applications/Utilities/AirPort Utility.app/Contents/MacOS/AirPort Utility
/Applications/Utilities/Audio MIDI Setup.app/Contents/MacOS/Audio MIDI Setup
/Applications/Utilities/Bluetooth File Exchange.app/Contents/MacOS/Bluetooth File Exchange
/Applications/Utilities/Boot Camp Assistant.app/Contents/MacOS/Boot Camp Assistant
/Applications/Utilities/Built-In Keyboard Firmware Update.app/Contents/MacOS/Built-In Keyboard Firmware Update
/Applications/Utilities/Built-In Keyboard Firmware Update.app/Contents/Resources/HIDFirmwareUpdaterTool
/Applications/Utilities/ColorSync Utility.app/Contents/MacOS/ColorSync Utility
/Applications/Utilities/ColorSync Utility.app/Contents/Resources/Calculator.csutil/Contents/MacOS/Calculator
/Applications/Utilities/ColorSync Utility.app/Contents/Resources/Devices.csutil/Contents/MacOS/Devices
/Applications/Utilities/ColorSync Utility.app/Contents/Resources/Filters.csutil/Contents/MacOS/Filters
/Applications/Utilities/ColorSync Utility.app/Contents/Resources/FirstAid.csutil/Contents/MacOS/FirstAid
/Applications/Utilities/ColorSync Utility.app/Contents/Resources/Profiles.csutil/Contents/MacOS/Profiles
/Applications/Utilities/Console.app/Contents/MacOS/Console
/Applications/Utilities/DigitalColor Meter.app/Contents/MacOS/DigitalColor Meter
/Applications/Utilities/Directory Utility.app/Contents/MacOS/Directory Utility
/Applications/Utilities/Directory Utility.app/Contents/PlugIns/Active Directory.daplug/Contents/MacOS/Active Directory
/Applications/Utilities/Directory Utility.app/Contents/PlugIns/BSD.daplug/Contents/MacOS/BSD
/Applications/Utilities/Directory Utility.app/Contents/PlugIns/LDAPv2.daplug/Contents/MacOS/LDAPv2
/Applications/Utilities/Directory Utility.app/Contents/PlugIns/LDAPv3.daplug/Contents/MacOS/LDAPv3
/Applications/Utilities/Directory Utility.app/Contents/PlugIns/NetInfo.daplug/Contents/MacOS/NetInfo
/Applications/Utilities/Directory Utility.app/Contents/PlugIns/NIS.daplug/Contents/MacOS/NIS
/Applications/Utilities/Directory Utility.app/Contents/PlugIns/SMB.daplug/Contents/MacOS/SMB
/Applications/Utilities/Directory Utility.app/Contents/Resources/DUSoftwareUpdateChecker.app/Contents/MacOS/DUSoftwareUpdateChecker
/Applications/Utilities/Directory.app/Contents/MacOS/Directory
/Applications/Utilities/Directory.app/Contents/Resources/ArrowGray.png
/Applications/Utilities/Directory.app/Contents/Resources/ArrowGrayActive.png
/Applications/Utilities/Disk Utility.app/Contents/Frameworks/DUSupport.framework/Versions/A/DUSupport
/Applications/Utilities/Disk Utility.app/Contents/MacOS/Disk Utility
/Applications/Utilities/Disk Utility.app/Contents/PlugIns/ASR.dumodule/Contents/MacOS/ASR
/Applications/Utilities/Disk Utility.app/Contents/PlugIns/DFA.dumodule/Contents/MacOS/DFA
/Applications/Utilities/Disk Utility.app/Contents/PlugIns/Erase.dumodule/Contents/MacOS/Erase
/Applications/Utilities/Disk Utility.app/Contents/PlugIns/Info.dumodule/Contents/MacOS/Info
/Applications/Utilities/Disk Utility.app/Contents/PlugIns/Partition.dumodule/Contents/MacOS/Partition
/Applications/Utilities/Disk Utility.app/Contents/PlugIns/RAID2.dumodule/Contents/MacOS/RAID2
/Applications/Utilities/Grab.app/Contents/MacOS/Grab
/Applications/Utilities/Grapher.app/Contents/MacOS/Grapher
/Applications/Utilities/Java/Input Method HotKey.app/Contents/MacOS/Input Method HotKey
/Applications/Utilities/Java/Java Preferences.app/Contents/MacOS/Java Preferences
/Applications/Utilities/Java/Java Web Start.app/Contents/MacOS/Java Web Start
/Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access
/Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain Agent
/Applications/Utilities/Keychain Access.app/Contents/Resources/Keychain.menu/Contents/MacOS/Keychain
/Applications/Utilities/MacBook Pro EFI Firmware Update.app/Contents/MacOS/MacBook Pro EFI Firmware Update
/Applications/Utilities/Migration Assistant.app/Contents/MacOS/Migration Assistant
/Applications/Utilities/Migration Assistant.app/Contents/Resources/Authenticate.bundle/Contents/MacOS/Authenticate
/Applications/Utilities/Migration Assistant.app/Contents/Resources/Connect.bundle/Contents/MacOS/Connect
/Applications/Utilities/Migration Assistant.app/Contents/Resources/Intro.bundle/Contents/MacOS/Intro
/Applications/Utilities/Migration Assistant.app/Contents/Resources/MigrateTool
/Applications/Utilities/Migration Assistant.app/Contents/Resources/NetworkSource.bundle/Contents/MacOS/NetworkSource
/Applications/Utilities/Network Utility.app/Contents/MacOS/Network Utility
/Applications/Utilities/Network Utility.app/Contents/Resources/stroke
/Applications/Utilities/ODBC Administrator.app/Contents/MacOS/ODBC Administrator
/Applications/Utilities/Podcast Capture.app/Contents/MacOS/Podcast Capture
/Applications/Utilities/RAID Utility.app/Contents/MacOS/RAID Utility
/Applications/Utilities/Remote Install Mac OS X.app/Contents/MacOS/Remote Install Mac OS X
/Applications/Utilities/System Profiler.app/Contents/MacOS/System Profiler
/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/Applications/Utilities/Terminal.app/Contents/Resources/TabClose.png
/Applications/Utilities/Terminal.app/Contents/Resources/TabClose_Pressed.png
/Applications/Utilities/Terminal.app/Contents/Resources/TabClose_Rollover.png
/Applications/Utilities/VoiceOver Utility.app/Contents/MacOS/VoiceOver Utility

Now the first thing you're going to hear is 'oh but we never intended this code signing to protect against a targeted attack - it's only there to protect against viruses!'

But the platform doesn't have viruses. It has worms and trojans as all platforms can have - things that spread and tricks like the classic Trojan horse - pretending to be one thing but actually being another. Code that attaches (like a parasite) to executables when run and thereby propagates to further executables all the time - that's unheard of on this platform. But targeted attacks are very real.

Then the next thing is Apple might come and say 'oops - we should have protected those 232 binaries by giving them permissions of 100755 instead - so only root can write to them!'

But dear friends! If the binaries are already protected and can only be modified by root then what's the bloody point of code signing them? If there's a rogue root process in the system it's game over anyway!

Take the end of a Super Bowl where the one team score a touchdown as the clock runs out and gain the lead. They might be entitled to try for an extra point but who the F cares - they've already won!

So try digesting this. See what you come up with. Much obliged.

See Also
Forum: Hacking C0d3 S1gN

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.