layout: post
Quick'n dirty analysis of the first cross-platform Linux/Mac trojan (Thanks to y0ug for the binary!). The following bits contain quite some information about the functionality, but there are still some pieces missing. Especially the static analysis part lacks content. More to come in the next days.
Summarized, its just a credential stealer that communicates with a C&C-server in Poland. While using AES and RC4 encryption, it lacks any encryption/obfuscation. I didn't look for any anti-dissassembly/-debug techniques but I'm quite sure I will not find any of them. The targets are Firefox, Thunderbird, Chrome, Opera and Pidgin.
MD5 : 9a0e765eecc5433af3dc726206ecc56e
SHA1 : 5996d02c142588b6c1ed850e461845458bd94d17
SHA256 : 35ff79dd456fe3054a60fe0a16f38bf5fc3928e1e8439ca4d945573f8c48c0b8
SSdeep : 1536:CkdOMtSwcfp9f25MgHmtS+IekQiPT5cL:CkdOMtufO5MgmYxQiP
VT reports a score of 9 / 42. Seems it was built under Ubuntu Linux:
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), BuildID[sha1]=0xeb836a1de23ce2cbe86a30064bc20e9f2c8b024c, stripped
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x804ccda
Start of program headers: 52 (bytes into file)
Start of section headers: 63560 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 9
Size of section headers: 40 (bytes)
Number of section headers: 21
Section header string table index: 20
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 08048154 000154 000013 00 A 0 0 1
[ 2] .note.gnu.build-i NOTE 08048168 000168 000024 00 A 0 0 4
[ 3] .hash HASH 0804818c 00018c 000904 04 A 5 0 4
[ 4] .gnu.hash GNU_HASH 08048a90 000a90 0007d8 04 A 5 0 4
[ 5] .dynsym DYNSYM 08049268 001268 001380 10 A 6 1 4
[ 6] .dynstr STRTAB 0804a5e8 0025e8 000fa9 00 A 0 0 1
[ 7] .gnu.version VERSYM 0804b592 003592 000270 02 A 5 0 2
[ 8] .gnu.version_r VERNEED 0804b804 003804 0000e0 00 A 6 3 4
[ 9] .rel.plt REL 0804b8e4 0038e4 000250 08 A 5 10 4
[10] .plt PROGBITS 0804bb40 003b40 0004b0 04 AX 0 0 16
[11] .text PROGBITS 0804bff0 003ff0 009e92 00 AX 0 0 16
[12] .rodata PROGBITS 08055e88 00de88 000aed 00 A 0 0 8
[13] .eh_frame_hdr PROGBITS 08056978 00e978 000024 00 A 0 0 4
[14] .eh_frame PROGBITS 0805699c 00e99c 000080 00 A 0 0 4
[15] .dynamic DYNAMIC 08057f3c 00ef3c 0000b8 08 WA 6 0 4
[16] .got.plt PROGBITS 08057ff4 00eff4 000134 04 WA 0 0 4
[17] .data PROGBITS 08058128 00f128 000618 00 WA 0 0 4
[18] .bss NOBITS 08058740 00f740 003b64 00 WA 0 0 4
[19] .comment PROGBITS 00000000 00f740 000056 01 MS 0 0 1
[20] .shstrtab STRTAB 00000000 00f796 0000b1 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x00120 0x00120 R E 0x4
INTERP 0x000154 0x08048154 0x08048154 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x0ea1c 0x0ea1c R E 0x1000
LOAD 0x00ef3c 0x08057f3c 0x08057f3c 0x00804 0x04368 RW 0x1000
DYNAMIC 0x00ef3c 0x08057f3c 0x08057f3c 0x000b8 0x000b8 RW 0x4
NOTE 0x000168 0x08048168 0x08048168 0x00024 0x00024 R 0x4
GNU_EH_FRAME 0x00e978 0x08056978 0x08056978 0x00024 0x00024 R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
GNU_RELRO 0x00ef3c 0x08057f3c 0x08057f3c 0x000c4 0x000c4 R 0x1
It uses some global variables related to encryption:
0805be8c <g_aes_logt>:
0805bf8c <g_aes_isbox>:
0805c08c <g_aes_ilogt>:
0805c18c <g_aes_sbox>:
0805c28c <EncryptionContext>:
0805c290 <InitializationVector>:
0805c2a0 <DecryptionContext>:
Version References:
required from libdl.so.2:
0x0d696911 0x00 11 GLIBC_2.1
0x0d696910 0x00 07 GLIBC_2.0
required from libpthread.so.0:
0x0d696911 0x00 12 GLIBC_2.1
0x0d696912 0x00 09 GLIBC_2.2
0x0d696910 0x00 03 GLIBC_2.0
required from libc.so.6:
0x0d696912 0x00 10 GLIBC_2.2
0x0d696918 0x00 08 GLIBC_2.8
0x0d696914 0x00 06 GLIBC_2.4
0x0d696911 0x00 05 GLIBC_2.1
0x09691974 0x00 04 GLIBC_2.3.4
0x0d696910 0x00 02 GLIBC_2.0
The binary exports all functions!!11 Some of the highlights:
75: 0805160e 332 FUNC GLOBAL DEFAULT 11 GetPidginPasswords
101: 08050d9e 316 FUNC GLOBAL DEFAULT 11 LoadMozillaLibs
138: 08050cb8 194 FUNC GLOBAL DEFAULT 11 FindMozillaLib
195: 08050d7a 36 FUNC GLOBAL DEFAULT 11 CleanUpMozilla
263: 08050eda 1583 FUNC GLOBAL DEFAULT 11 GetMozillaProductPassword
287: 08051c6f 56 FUNC GLOBAL DEFAULT 11 GetGoogleChromePasswords
272: 080557c5 198 FUNC GLOBAL DEFAULT 11 cpGetLog
274: 08051509 261 FUNC GLOBAL DEFAULT 11 GetOperaWand
FCONNECT %s:%d HTTP/1.0
%s%s
%.2d/%.2d/%d %.2d:%.2d:%.2d
%llu
%s/%s
/proc/%i/exe
http://%s%s
GET %s HTTP/1.1
Host: %s
Connection: close
/proc/
/proc/stat
btime
/proc/%s/stat
%s (%[^)]
/proc/%s/exe
/bin/sh
/bin/bash
exit
Path=
firefox-3*
/usr/lib
firefox-4*
thunderbird-*
libmozsqlite3.so
HOME
%s/.mozilla/firefox/profiles.ini
%s/.mozilla/firefox/%s
%s/.thunderbird/profiles.ini
%s/.thunderbird/%s
%s/.mozilla/seamonkey/profiles.ini
%s/.mozilla/seamonkey/%s
%s/signons.sqlite
NSS_Init
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
select * from moz_logins
%c%s
%s/.opera/wand.dat
%s/.purple/accounts.xml
<protocol>
<name>
<password>
%s/.config/google-chrome/Default/Login Data
%s/.config/chromium/Default/Login Data
USER
Unknown
/etc/lsb-release
/etc/
version
PATH
%s/.config/autostart/%s.desktop
/tmp/.%s
%s/.config/autostart
%s/%s.desktop
[Desktop Entry]
Type=Application
Exec="%s"
Hidden=false
Name=%s
%s/.xinitrc
GCC: (Ubuntu/Linaro 4.6.2-10ubuntu1~10.04.2) 4.6.2
GCC: (Ubuntu 4.4.3-4ubuntu5) 4.4.3
Looking at the strings reveal the targets (Firefox, Chrome, Thunderbird, Opera, Pidgin), the persistence functions and some checks for the running Linux distribution.
I used Bokken + radare as disassembler. Malware starts with initializing the crypto stuff. The InitTransferList function seems useless.
| 0x0804cce4 e84c780000 call dword sym.InitAESTables
| 0x0804cce9 8d6c2406 lea ebp, [esp+0x6]
| 0x0804cced e8ee630000 call dword sym.InitTransfersList
| 0x0804ccf2 e8d1610000 call dword sym.ReadSettings
The ReadSettings function is interesting, as the encryption of strings happens here. RC4 is used as cypher. The length of the string is also pushed to the stack:
| 0x08052e07 68ff000000 push dword 0xff
| 0x08052e0c 6810860508 push dword sym.ConnectionString
| 0x08052e11 53 push ebx
| 0x08052e12 e8ef1a0000 call dword sym.RC4Crypt
| 0x08052e17 83c40c add esp, 0xc
| 0x08052e1a 68ff000000 push dword 0xff
| 0x08052e1f 6810850508 push dword sym.ProxyString
| 0x08052e24 53 push ebx
| 0x08052e25 e8dc1a0000 call dword sym.RC4Crypt
| 0x08052e2a 83c40c add esp, 0xc
| 0x08052e2d 6a20 push 0x20
| 0x08052e2f 68ec840508 push dword sym.Password
| 0x08052e34 53 push ebx
| 0x08052e35 e8cc1a0000 call dword sym.RC4Crypt
| 0x08052e3a 83c40c add esp, 0xc
| 0x08052e3d 6a10 push 0x10
| 0x08052e3f 68c4840508 push dword sym.HostId
| 0x08052e44 53 push ebx
| 0x08052e45 e8bc1a0000 call dword sym.RC4Crypt
| 0x08052e4d 6a08 push 0x8
| 0x08052e4f 68b8840508 push dword sym.MutexName
| 0x08052e54 53 push ebx
| 0x08052e55 e8ac1a0000 call dword sym.RC4Crypt
| 0x08052e5d 6880000000 push dword 0x80
| 0x08052e62 6834840508 push dword sym.InstallPath
| 0x08052e67 53 push ebx
| 0x08052e68 e8991a0000 call dword sym.RC4Crypt
| 0x08052e70 6a10 push 0x10
| 0x08052e72 6820840508 push dword sym.StartupKeyName1
| 0x08052e77 53 push ebx
| 0x08052e78 e8891a0000 call dword sym.RC4Crypt
| 0x08052e80 6a26 push 0x26
| 0x08052e82 68f8830508 push dword sym.StartupKeyName2
| 0x08052e87 53 push ebx
| 0x08052e88 e8791a0000 call dword sym.RC4Crypt
| 0x08052e90 6880000000 push dword 0x80
| 0x08052e95 6874830508 push dword sym.KeyLoggerFileName
| 0x08052e9a 53 push ebx
| 0x08052e9b e8661a0000 call dword sym.RC4Crypt
| 0x08052ea3 6a03 push 0x3
| 0x08052ea5 6870830508 push dword sym.BoolSettingsByte
| 0x08052eaa 53 push ebx
| 0x08052eab e8561a0000 call dword sym.RC4Crypt
| 0x08052eb3 6a03 push 0x3
| 0x08052eb5 686c830508 push dword sym.ConnectionType
| 0x08052eba 53 push ebx
| 0x08052ebb e8461a0000 call dword sym.RC4Crypt
[...]
The key is encoded in the .data section, loaded into esp and given to RC4Setup.
0x080584d8 55b9c7d6 ac4a34df c26af4e3 d8c9cc42 U....J4..j.....B
| 0x08052df5 68d8840508 push dword sym.BuilderEncryptionKey
| 0x08052dfa 8d5c2414 lea ebx, [esp+0x14]
| 0x08052dfe 53 push ebx
| 0x08052dff e8881a0000 call dword sym.RC4Setup
[...]
This is the dump of the ConnectionString
8058610 4615bb67 5fd713bf d40a9b22 eb2fc3ae F..g_......"./..
8058620 71329db5 e21e362e 10e1e75e eefc7a40 q2....6....^..z@
8058630 7461ef61 6fdff850 64e4eaf0 cd4e65cc ta.ao..Pd....Ne.
8058640 7e382e40 9f5caec7 015126bc d894a5fc ~8.@.\...Q&.....
8058650 864d6abc 34becba0 5c40faab 4717b4cf .Mj.4...\@..G...
8058660 a491c2d7 c963b88d 9052d4e2 7347f488 .....c...R..sG..
8058670 c42b075e 8d2d6c47 4c5edf6f 232b656f .+.^.-lGL^.o#+eo
8058680 bc9d951f 4447d0bf 58cacaca 07f09e33 ....DG..X......3
8058690 069eca42 9832e04c a4c36bb3 6975013e ...B.2.L..k.iu.>
80586a0 b5426cb1 f3562d6a e5bad826 63355590 .Bl..V-j...&c5U.
80586b0 636c21c4 e0411569 01e31a6c 1d7c0489 cl!..A.i...l.|..
80586c0 b4cd7b8e b28da3ac 4801553c 3a4fcb7e ..{.....H.U<:O.~
80586d0 2cb27bdd ff47bb21 a74f9cfe edb39194 ,.{..G.!.O......
80586e0 a83d1e9c 04b93a5d d4270101 39089e77 .=....:].'..9..w
80586f0 6e7a4674 7bf62f26 69562056 ec1b4609 nzFt{./&iV V..F.
8058700 e0af6ef6 b65fb7cc b3db171d ded27f00
In oder to decode all strings, I wrote a small python script using the RC4 code from http://www.joonis.de/content/RC4ARC4ARCFOURAlgorithmForPython:
# RC4 code here [...]
if __name__ == '__main__':
bin = "9a0e765eecc5433af3dc726206ecc56e"
m = open(bin, "r")
m.seek(0xf4d8)
key = m.read(0x10)
m.seek(0xf610)
ConnectionString = m.read(0xff)
print "%s" % decrypt(ConnectionString, key, decode=None, salt_length=0)
m.seek(0xf4ec)
Password = m.read(0xff)
print "%s" % decrypt(Password, key, decode=None, salt_length=0)
m.seek(0xf4c4)
HostID = m.read(0x10)
print "%s" % decrypt(HostID, key, decode=None, salt_length=0)
m.seek(0xf4b8)
MutexName = m.read(0x8)
print "%s" % decrypt(MutexName, key, decode=None, salt_length=0)
m.seek(0xf434)
InstallPath = m.read(0x80)
print "%s" % decrypt(InstallPath, key, decode=None, salt_length=0)
m.seek(0xf420)
SKN1 = m.read(0x10)
print "%s" % decrypt(SKN1, key, decode=None, salt_length=0)
m.seek(0xf3f8)
SKN2 = m.read(0x26)
print "%s" % decrypt(SKN2, key, decode=None, salt_length=0)
m.seek(0xf374)
KeyLogger = m.read(0x80)
print "%s" % decrypt(KeyLogger, key, decode=None, salt_length=0)
m.seek(0xf370)
Settings = m.read(0x3)
print "%s" % decrypt(Settings, key, decode=None, salt_length=0)
m.seek(0xf36c)
ConnType = m.read(0x3)
print "%s" % decrypt(ConnType, key, decode=None, salt_length=0)
The results are as follows:
% python rc4.py
212.7.208.65:4141
sm0k4s523syst3m523
LINUX
vJEewiWD
%home%/WIFIADAPT
WIFIADAPTER
-
%Home%\.m8d.dat
237
001
The malware installs a keylogger that logs all keystrokes into $HOME/.m8d.dat:
[...]
3188 snprintf("c", 32, "%s", "c") = 1
3188 snprintf("a", 32, "%s", "a") = 1
3188 snprintf("t", 32, "%s", "t") = 1
3188 snprintf(" ", 32, "%s", " ") = 1
3188 snprintf("/", 32, "%s", "/") = 1
3188 snprintf("p", 32, "%s", "p") = 1
3188 snprintf("r", 32, "%s", "r") = 1
3188 snprintf("[Tab]", 32, "[Tab]") = 5
3188 snprintf("/", 32, "%s", "/") = 1
3188 snprintf("m", 32, "%s", "m") = 1
3188 snprintf("a", 32, "%s", "a") = 1
3188 snprintf("[Tab]", 32, "[Tab]") = 5
3188 snprintf("[Enter]", 32, "[Enter]") = 7
3188 snprintf("[Arrow Up]", 32, "[Arrow Up]") = 10
[...]
It created a file named/tmp/.vJEewiWD which is 0 byte after the run. I was yet to lazy to grab all files created, maybe later. It also saves a local copy as$HOME/WIFIADAPT. Now this is stealth!1 :) It checks the number of available CPUs in/sys/devices/system/cpu/online. Further, it reads quite some files from /usr/share/X11/locale/. Not sure if that related to any libraries or if this was intentional.
It registers itself in the GNOME autostart folder:
% cat /home/ubuntu/.config/autostart/WIFIADAPTER.desktop
[Desktop Entry]
Type=Application
Exec="/home/ubuntu/WIFIADAPT"
Hidden=false
Name=WIFIADAPTER
Right from the start, the malware connects to 212.7.208.65, Port 4141. The IP is registered in Poland:
organisation: ORG-DDSS1-RIPE
org-name: Dediserv Dedicated Servers Sp. z o.o.
org-type: LIR
address: Dediserv Dedicated Servers Sp. z o.o.
Dino Strzeminski
Jaracza 3/49
00-378 Warszawa
POLAND
It tries to reach the C&C-server and sends the following bytes:
0000000: 9fa2 102d b5e9 7c46 0000 0000 a002 3908 ...-..|F......9.
0000010: 519e 0000 0204 05b4 0402 080a 0001 da58 Q..............X
0000020: 0000 0000 0103 0304 ........
This was against IntSim, I will check with a real connection later!
The malware is also available in a Mac Version (it's not a bug, it's a feature). A quick analysis follows:
MD5 : d048f7ae2d244a264e58af67b1a20db0
SHA1 : c520e9099bfc695b54662bdb7e8fa5b2800a72e9 d048f7ae2d244a264e58af67b1a20db0
SHA256 : 137e17ed0c693f5ba23c3f3bf252f7edc29548d97f426625a4e0c5fea0558e45
SSdeep : 1536:zKyRSXtFgAmbkF5xeK5eCPBXcN+XRbTu5UfKUKPIoKd89don:LMXtlmbo+hCPBXccRbTuaPgfs8don
Same basic information. A good opportunity to use my ancient mach-o binary analyzer dermob. Source available on request.
% ./dermob d048f7ae2d244a264e58af67b1a20db0
dermob -- mach-o binary analyzer
(c) 2006-11 by xhr (@giessen.ccc.de)
Magic: 0xfeedface
CPU Type: x86_32
Subtype: 3
Filetype: 0x2
No load cmds: 16 cmds
Size of cmds: 2008 bytes
Flags: 0x01000085
- Load command: 1
Command: LC_SEGMENT
Command size: 56 bytes
Name: __PAGEZERO
VM addr: 0x00000000
VM size: 0x00001000
VM size: 0x00001000
File offset: 0x00000000
File size: 0 bytes
Max prot: 0x00000000
Init prot: 0x00000000
No of sects: 0
Flags: 0x00000000
- Load command: 2
Command: LC_SEGMENT
Command size: 464 bytes
Name: __TEXT
VM addr: 0x00001000
VM size: 0x0000f000
VM size: 0x0000f000
File offset: 0x00000000
File size: 61440 bytes
Max prot: 0x00000007
Init prot: 0x0000000500009fee calll 0x0000d943
00009ff3 movl $0x000000ff,0x08(%esp)
00009ffb leal 0x000065d1(%ebx),%eax
0000a001 movl %eax,0x04(%esp)
0000a005 movl %esi,(%esp)
0000a008 calll 0x0000d9b3
0000a00d movl $0x000000ff,0x08(%esp)
0000a015 leal 0x000066d1(%ebx),%eax
0000a01b movl %eax,0x04(%esp)
0000a01f movl %esi,(%esp)
0000a022 calll 0x0000d9b3
0000a027 movl $0x00000020,0x08(%esp)
0000a02f leal 0x000067d1(%ebx),%eax
0000a035 movl %eax,0x04(%esp)
0000a039 movl %esi,(%esp)
0000a03c calll 0x0000d9b3
No of sects: 6
Flags: 0x00000000
+ Section 1
Sectname: __text
VM addr: 0x00001e24
VM size: 53014 bytes
Offset: 3620
+ Section 2
Sectname: __symbol_stub
VM addr: 0x0000ed3a
VM size: 756 bytes
Offset: 56634
+ Section 3
Sectname: __stub_helper
VM addr: 0x0000f030
VM size: 1272 bytes
Offset: 57392
+ Section 4
Sectname: __cstring
VM addr: 0x0000f528
VM size: 1656 bytes
Offset: 58664
+ Section 5
Sectname: __const
VM addr: 0x0000fba0
VM size: 1032 bytes
Offset: 60320
+ Section 6
Sectname: __unwind_info
VM addr: 0x0000ffa8
VM size: 72 bytes
Offset: 61352
- Load command: 3
Command: LC_SEGMENT
Command size: 600 bytes
Name: __DATA
VM addr: 0x00010000
VM size: 0x00005000
VM size: 0x00005000
File offset: 0x0000f000
File size: 4096 bytes
Max prot: 0x00000007
Init prot: 0x00000003
No of sects: 8
Flags: 0x00000000
+ Section 7
Sectname: __program_vars
VM addr: 0x00010000
VM size: 20 bytes
Offset: 61440
+ Section 8
Sectname: __nl_symbol_ptr
VM addr: 0x00010014
VM size: 144 bytes
Offset: 61460
+ Section 9
Sectname: __la_symbol_ptr
VM addr: 0x000100a4
VM size: 504 bytes
Offset: 61604
+ Section 10
Sectname: __data
VM addr: 0x000102a0
VM size: 1708 bytes
Offset: 62112
+ Section 11
Sectname: __const
VM addr: 0x00010960
VM size: 40 bytes
Offset: 63840
+ Section 12
Sectname: __cfstring
VM addr: 0x00010988
VM size: 16 bytes
Offset: 63880
+ Section 13
Sectname: __common
VM addr: 0x000109a0
VM size: 1088 bytes
Offset: 0
+ Section 14
Sectname: __bss
VM addr: 0x00010de0
VM size: 14108 bytes
Offset: 0
- Load command: 4
Command: LC_SEGMENT
Command size: 56 bytes
Name: __LINKEDIT
VM addr: 0x00015000
VM size: 0x00003074
VM size: 0x00003074
File offset: 0x00010000
File size: 12404 bytes
Max prot: 0x00000007
Init prot: 0x00000001
No of sects: 0
Flags: 0x00000000
- Load command: 5
Command:
Command size: 48 bytes
- Load command: 6
Command: LC_SYMTAB
Command size: 24 bytes
Symbol table offset: 73000 bytes
Symbol table entries: 136
String table offset: 75784 bytes
String table size: 2156 bytes
- Load command: 7
Command: LC_DYSYMTAB
Command size: 80 bytes
ilocalsym: 0
nlocalsym: 1
iextdefsym: 1
nextdefsym: 1
iundefsym: 2
nundefsym: 134
tocoff: 0
ntoc: 0
modtaboff: 0
nmodtab: 0
extrefsymoff: 0
nextrefsyms: 0
indirectsymoff: 74632
nindirectsyms: 288
extreloff: 0
nextrel: 09fb5
locreloff: 0
nlocrel: 0
- Load command: 8
Command: LC_LOAD_DYLINKER
Command size: 28 bytes
- Load command: 9
Command:
Command size: 24 bytes
- Load command: 10
Command: LC_UNIXTHREAD
Command size: 80 bytes
- Load command: 11
Command: LC_LOAD_DYLIB
Command size: 52 bytes
Timestamp: Thu Jan 1 01:00:02 1970
Current version: 0x7d020b
Compat version: 0x10000
- Load command: 12
Command: LC_LOAD_DYLIB
Command size: 96 bytes
Timestamp: Thu Jan 1 01:00:02 1970
Current version: 0x2ef3f00
Compat version: 0x12c0000
- Load command: 13
Command: LC_LOAD_DYLIB
Command size: 84 bytes
Timestamp: Thu Jan 1 01:00:02 1970
Current version: 0xf0000
Compat version: 0x10000
- Load command: 14
Command: LC_LOAD_DYLIB
Command size: 100 bytes
Timestamp: Thu Jan 1 01:00:02 1970
Current version: 0x2c0000
Compat version: 0x10000
- Load command: 15
Command: LC_LOAD_DYLIB
Command size: 104 bytes
Timestamp: Thu Jan 1 01:00:02 1970
Current version: 0x2262c00
Compat version: 0x960000
- Load command: 16
Command: LC_LOAD_DYLIB
Command size: 112 bytes
Timestamp: Thu Jan 1 01:00:02 1970
Current version: 0x260000Snapshot 1
Compat version: 0x10000
Same as with the Linux Version:
%s/Library/Opera/wand.dat
%s/.Library/Opera/wand.dat
/Applications/%s.app/Contents/MacOS/%s
/Applications/%s.app/Contents/MacOS/libmozsqlite3.dylib
%s/%s
%s/Library/Application Support/Firefox
%s/Library/Mozilla/Firefox
%s/.Library/Application Support/Firefox
%s/.Library/Mozilla/Firefox
%s/Library/Application Support/Thunderbird
%s/Library/Thunderbird
%s/.Library/Application Support/Thunderbird
%s/.Library/Thunderbird
%s/Library/Application Support/SeaMonkey
%s/Library/SeaMonkey
%s/.Library/Application Support/SeaMonkey
%s/.Library/SeaMonkey
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleExecutable</key>
<string>%s</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>%s</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>4.5.3</string>
<key>CFBundleVersion</key>
<string>99.2</string>
<key>LSMinimumSystemVersion</key>
<string>10.3</string>
<key>NSMainNibFile</key>
<string>%s</string>
<key>NSPrincipalClass</key>
<string>NSApplication</string>
</dict>
</plist>
Works the same as with the Linux version. Unfortunately, Bokken gave up analyzing the executable so I had to switch to otool under Mac. And this produces AT&T asm sigh
[...]
00009fee calll 0x0000d943
00009ff3 movl $0x000000ff,0x08(%esp)
00009ffb leal 0x000065d1(%ebx),%eax
0000a001 movl %eax,0x04(%esp)
0000a005 movl %esi,(%esp)
0000a008 calll 0x0000d9b3
0000a00d movl $0x000000ff,0x08(%esp)
0000a015 leal 0x000066d1(%ebx),%eax
0000a01b movl %eax,0x04(%esp)
0000a01f movl %esi,(%esp)
0000a022 calll 0x0000d9b3
0000a027 movl $0x00000020,0x08(%esp)
0000a02f leal 0x000067d1(%ebx),%eax
0000a035 movl %eax,0x04(%esp)
0000a039 movl %esi,(%esp)
0000a03c calll 0x0000d9b3
[...]
Enough for now :)