Fairplay research - Some RE work on Apple's Fairplay DRM

Overview

Poor Man's Kernel Debuger

This project loads FairplayIOKit kernel driver into userspace and make it possible for LLDB to debug

How to Compile

In project folder

mkdir build && cd build
cmake ..
make

Notice

It has a built-in branch tracing support, before debugging in lldb, you might have to disable this feaure by comment the relevant code

How to Debug

Caveats

Apple Silicon Device required, tested on 11.2_20D64, may not work on 11.3 and newer version.

Root privileges required for host_get_special_port.

Before debugging, you need to make a breakpoint, right after we notify debugger of the mannually loaded KEXT. fairplay_init can be a good breakpoint.

lldb build/uloader 
(lldb) b fairplay_init
Breakpoint 1: where = uloader`fairplay_init, address = 0x0000000100007bb8
(lldb) r
Process 30277 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x0000000100007bb8 uloader`fairplay_init
uloader`fairplay_init:
->  0x100007bb8 <+0>:  sub    sp, sp, #0x50             ; =0x50 
    0x100007bbc <+4>:  stp    x29, x30, [sp, #0x40]
    0x100007bc0 <+8>:  add    x29, sp, #0x40            ; =0x40 
    0x100007bc4 <+12>: stur   x0, [x29, #-0x10]
Target 0: (uloader) stopped.

List images like a kernel debugger

(lldb) image list
[  0] 2EB7F208-4321-3545-A778-FE25D1FEB253 0x0000000100000000 /Users/pwn0rz/work/dev/fairplay/build/uloader 
[ 44] A9299904-1979-3514-A8DB-9EDA8159DD55 0x000000010045c000 /System/Library/Extensions/FairPlayIOKit.kext/Contents/MacOS/FairPlayIOKit 

Set-up a breakpoint. Even watchpoint is possible :3

(lldb) b fcHfFIGhsx
Breakpoint 2: where = FairPlayIOKit`fcHfFIGhsx, address = 0x000000010056bbe8

Additional Resources

Owner
pwnorz
pwnorz
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

Sheng-Hao Ma 372 Jul 31, 2022
A toolchain designed to build a DRM-free version of Rifts: Promise of Power for the Nokia N-Gage.

Rifts: Promise of Power A toolchain designed to build a DRM-free version of Rifts: Promise of Power for the Nokia N-Gage. How-to First clone the repos

Michael Fitzmayer 4 Mar 27, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 123 Jun 30, 2022
A modern-day Boss Key software tool. Switch instantly from work to play & play to work with Bosky.

Bosky By: Seanpm2001, Bosky-dev Et; Al. Top README.md Read this article in a different language Sorted by: A-Z Sorting options unavailable ( af Afrika

Sean P. Myrick V19.1.7.2 1 Nov 11, 2021
Get_next_line is a project that taught me some new concepts like static variables file_desctiptors how they work

Get_next_line is a project that taught me some new concepts like static variables file_desctiptors how they work, how to create them, read and import data from them.

Ahmed El Mountassir 4 Apr 19, 2022
Orca - Advanced Malware with multifeatures written in ASM/C/C++ , work on all windows versions ! (some features still under developing and not stable)

About Orca Orca is an Advanced Malware with multifeatures written in ASM/C/C++ features Run in Background (Hidden Mode) Records keystrokes and saves t

anas 168 Aug 14, 2022
Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Libft is an individual project at 42 that requires us to re-create some standard C library functions including some additional ones that can be used later to build a library of useful functions for the rest of the program.

Paulo Rafael Ramalho 0 Apr 5, 2022
Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders

Hydrogen is a tiny GDI Malware, with some bytebeat music, many payloads and some shaders

Leo Lezury 15 Aug 2, 2022
Block Cipher Reverse Engineering: A Challenge by Nintendo European Research & Development

My algorithm cracks NERD HireMe for any output within 1 Second without Brute-Force! Read more if you want to find out how this was accomplished or execute this algorithm yourself on Wandbox - Online C++ Compiler

Alexander Töpfer 58 Nov 15, 2021
Learn how to connect your Flexispot (LoctekMotion) desk to the internet. This repository contains a collection of scripts to get your started, combined with research and instructions.

(image source: Windows Central) Turn your LoctekMotion/FlexiSpot desk into a smart desk Recently I acquired a new standing desk from FlexiSpot. During

Mick Vleeshouwer 161 Aug 11, 2022
Doom port for InfOS - the University of Edinburgh Informatics research operating system used in the UG3 OS course

Doom on InfOS InfOS is the Informatics research operating system, designed specifically for the UG3 Operating Systems course. This project aims to por

Cheng Kai 14 Jun 19, 2022
PLP Project Programming Language | Programming for projects and computer science and research on computer and programming.

PLPv2b PLP Project Programming Language Programming Language for projects and computer science and research on computer and programming. What is PLP L

PLP Language 5 Jun 23, 2022
BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs

Self_Deletion_BOF BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs Why? I didn't see that it currently existed (via

null 128 Aug 9, 2022
A BOF port of the research of @thefLinkk and @codewhitesec

HandleKatz_BOF What is this? This is a (mostly complete) port of the functionality presented by @thefLink and Code White GmbH. You guys deserve a larg

null 83 Jun 20, 2022
blackstar is a Polymorphic Keylogger written in C, for research purposes only

blackstar blackstar is a Polymorphic Keylogger written in C, for research purposes only. It is based on the whitecomet project. Introduction The goal

null 11 Aug 3, 2022
Packages for simulating the Tethys-class Long-Range AUV (LRAUV) from the Monterey Bay Aquarium Research Institute (MBARI).

LRAUV Simulation This repository contains packages for simulating the Tethys-class Long-Range AUV (LRAUV) from the Monterey Bay Aquarium Research Inst

Open Robotics 23 Aug 3, 2022
This repository contains the tools we used in our research on the Google Titan M chip

Titan M tools In this repository, we publish the tools we used in our research on the Google Titan M chip. We presented our results at Black Hat EU 21

Quarkslab 119 Aug 9, 2022
RISCAL is a 32-bit reduced instruction-set computer (RISC) designed for learning and research purposes. It is named after my dog, Rascal.

RISCAL CPU RISCAL is a 32-bit custom instruction set architecture virtual machine. It is intended to be used for learning/research purposes. In a nuts

null 3 Dec 23, 2021
AutoDrive Planning Research

AutoDrive Planning Research

Col_In_Coding 2 Jul 24, 2022