All-
Just thought I would post this for those that are curious, I was able to hook the function that actually loads the mach-o module into memory and then write it to a file.
There are two modules that are streamed when you login, the first is the smaller one (ending in 0x620then about 2-5 seconds later you're sent another module (0x742
. Interestingly enough I was able to hook the function that starts to load the module, detour it, return 1 w/o calling it (so the module isn't loaded) - and I could stay logged in for 5 minutes before they would log me out
If only it had been that simple hah!
Here are the 2 modules: http://dump.ifeedr.com/warden_machO_binaries.zip IDA parses them fine, but don't forget to run the python script to fix some of the function declarations here: http://dump.ifeedr.com/idaConvertFunctions.py
Hopefully someone will find this interestingI'm still trying to figure out wtf is going on w/in the modules. Annoyed I can't use GDB anymore
/cry
Enjoy!!