Warden - OS X Mach-O Modules here

[Tanaris4]

All-

Just thought I would post this for those that are curious, I was able to hook the function that actually loads the mach-o module into memory and then write it to a file.

There are two modules that are streamed when you login, the first is the smaller one (ending in 0x620 then about 2-5 seconds later you're sent another module (0x742. Interestingly enough I was able to hook the function that starts to load the module, detour it, return 1 w/o calling it (so the module isn't loaded) - and I could stay logged in for 5 minutes before they would log me out If only it had been that simple hah!

Here are the 2 modules: http://dump.ifeedr.com/warden_machO_binaries.zip IDA parses them fine, but don't forget to run the python script to fix some of the function declarations here: http://dump.ifeedr.com/idaConvertFunctions.py

Hopefully someone will find this interesting I'm still trying to figure out wtf is going on w/in the modules. Annoyed I can't use GDB anymore /cry

Enjoy!!

[DrGonzo]

Dumped warden module from PC and cleaned up IDA DB of it.
http://rapidshare.com/files/403847794/warden.idb.html
http://rapidshare.com/files/403847795/warden.bin.html

edit: re-up'd again

[garoboldy]

can you re-up these again. the limit has been reached. I have free time today to mess with this at the office so if you get a chance I'd appreciate it.

[DrGonzo]

Done. [filler]