FakeSMC V2

andyvand · #1 09-26-2009, 04:52 PM

Netkas has released FakeSMC V2
Get it from:
http://netkas.org/?p=215

andyvand · #2 09-26-2009, 05:34 PM

I think it's very cool on how it tricks "Dont steal Mac OS X.kext" to think it actually runs on a genuine Mac because of OSK1 and OSK2

xXrkidXx · #3 09-26-2009, 05:39 PM

wow thats amazing! Ill be using that When booting Snow Leo, right when ur kernel comes out!

andyvand · #4 09-27-2009, 10:31 AM

I have remade the tools apb_encrypt and apb_decrypt and smc_read
the ones indicated as "legal" query the SMC
Get them from: http://rapidshare.com/files/285582619/SMC_Tools.zip

Lykich · #5 09-27-2009, 04:33 PM

Ahdy,how to use the utility?

andyvand · #6 09-28-2009, 12:07 PM

Quote:

Originally Posted by Lykich

Ahdy,how to use the utility?

cd into build/Release
./apb_decrypt <encrypted_bin> <decrypted_bin>
./apb_encrypt <unencrypted_bin> <encrypted_bin>
same for apb_encrypt_legal or apb_decrypt_legal
./smc_read
for testing fakesmc...
Only works for Leopard as I don't yet have the encryption algo's for Snow Leopard...

andyvand · #7 09-28-2009, 10:42 PM

Quote:

Originally Posted by andyvand

cd into build/Release
./apb_decrypt <encrypted_bin> <decrypted_bin>
./apb_encrypt <unencrypted_bin> <encrypted_bin>
same for apb_encrypt_legal or apb_decrypt_legal
./smc_read
for testing fakesmc...
Only works for Leopard as I don't yet have the encryption algo's for Snow Leopard...

Correction: it decrypts 32bit encrypted binaries for Snow Leopard...
I'll check Dont steal Mac OS X to see if I can get it going for 64bit too...
It would be cool to have decrypts for SL

bobtom0 · #8 09-30-2009, 02:11 AM

I can't get this to work. I tested this on snow leo using lipo to strip out the x32 version of Finder then ran the decrypt util on it but when I launch it it won't launch.

Did anyone else get this to work?

CupOfJava · #9 12-11-2009, 04:25 PM

There is a difference in the way Apple decodes the binaries on a Mac OS X 10.6 versus 10.5.

1st The binary pages are decoded on 10.6 with a salt "0x2e69cf40". Here is the relevant source:

Code:

#define	APPLE_UNPROTECTED_HEADER_SIZE	(3 * PAGE_SIZE_64)

static load_return_t
unprotect_segment(
	uint64_t	file_off,
	uint64_t	file_size,
	struct vnode	*vp,
	off_t		macho_offset,
	vm_map_t	map,
	vm_map_offset_t	map_addr,
	vm_map_size_t	map_size)
{
	kern_return_t	kr;

	/*
	 * The first APPLE_UNPROTECTED_HEADER_SIZE bytes (from offset 0 of
	 * this part of a Universal binary) are not protected...
	 * The rest needs to be "transformed".
	 */
	if (file_off <= APPLE_UNPROTECTED_HEADER_SIZE &&
	    file_off + file_size <= APPLE_UNPROTECTED_HEADER_SIZE) {
		/* it's all unprotected, nothing to do... */
		kr = KERN_SUCCESS;
	} else {
		if (file_off <= APPLE_UNPROTECTED_HEADER_SIZE) {
			/*
			 * We start mapping in the unprotected area.
			 * Skip the unprotected part...
			 */
			vm_map_offset_t	delta;

			delta = APPLE_UNPROTECTED_HEADER_SIZE;
			delta -= file_off;
			map_addr += delta;
			map_size -= delta;
		}
		/* ... transform the rest of the mapping. */
		struct pager_crypt_info crypt_info;
		crypt_info.page_decrypt = dsmos_page_transform;
		crypt_info.crypt_ops = NULL;
		crypt_info.crypt_end = NULL;
#pragma unused(vp, macho_offset)
		crypt_info.crypt_ops = (void *)0x2e69cf40;
		kr = vm_map_apple_protected(map,
					    map_addr,
					    map_addr + map_size,
					    &crypt_info);
	}

	if (kr != KERN_SUCCESS) {
		return LOAD_FAILURE;
	}
	return LOAD_SUCCESS;
}

In Mac OS X 10.5 the same function is very different:

Code:

#define	APPLE_UNPROTECTED_HEADER_SIZE	(3 * PAGE_SIZE_64)

static load_return_t
unprotect_segment_64(
	uint64_t	file_off,
	uint64_t	file_size,
	vm_map_t	map,
	vm_map_offset_t	map_addr,
	vm_map_size_t	map_size)
{
	kern_return_t	kr;

	/*
	 * The first APPLE_UNPROTECTED_HEADER_SIZE bytes (from offset 0 of
	 * this part of a Universal binary) are not protected...
	 * The rest needs to be "transformed".
	 */
	if (file_off <= APPLE_UNPROTECTED_HEADER_SIZE &&
	    file_off + file_size <= APPLE_UNPROTECTED_HEADER_SIZE) {
		/* it's all unprotected, nothing to do... */
		kr = KERN_SUCCESS;
	} else {
		if (file_off <= APPLE_UNPROTECTED_HEADER_SIZE) {
			/*
			 * We start mapping in the unprotected area.
			 * Skip the unprotected part...
			 */
			vm_map_offset_t	delta;

			delta = APPLE_UNPROTECTED_HEADER_SIZE;
			delta -= file_off;
			map_addr += delta;
			map_size -= delta;
		}
		/* ... transform the rest of the mapping. */
		struct pager_crypt_info crypt_info;
		crypt_info.page_decrypt = dsmos_page_transform;
		crypt_info.crypt_ops = NULL;
		crypt_info.crypt_end = NULL;
		kr = vm_map_apple_protected(map,
					    map_addr,
					    map_addr + map_size,
					    &crypt_info);
	}

	if (kr != KERN_SUCCESS) {
		return LOAD_FAILURE;
	}
	return LOAD_SUCCESS;
}

The key difference lies in the line:

Code:

crypt_info.crypt_ops = (void *)0x2e69cf40;

Cup Of Java

CarterA · #10 02-25-2010, 06:42 AM

andyvand, do you have a copy of the two apb programs working on Snow Leopard? I modified the code you posted so that it encrypted 64 bit binaries, but the binaries themselves couldn't be run.

Any ideas?