Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

MacOS seriously attempts to validate that all applications are legitimate. This is done via checking for cryptographic signatures on the binaries, notarization (scan the application for potential issues), Gatekeeper (are you sure you want to launch this app?) and File Quarantining.

MacOS applications are bundled in a weird way. Each .app file actually has many sub-directories that have libraries, the binary and other assets. What is bare-bones application? All you need is a binary that matches the main folder in app_name/MacOS/app_name.

For some reason, this does not trigger any of the security checks above though!? The author stumbled upon this bug by simply trying to get a bare-bones app to work. The bulk of the article is about reversing this functionality on MacOS.

The bug is fairly simple: only bundled applications are validated. What makes up a bundled application? It must have an info.plist. Because of how simple this bug was, it was being exploited in the wild. Yikes!

Sometimes, bugs just fall out of thin air... Reformatting something in a way that violates the developer constraints but still works is where lots of bugs live at.