0

I'm trying to understand the work flow of a mac app from its executable. I'm using Hopper disassembler to disassemble the binary executable.

I'm not able to execute the binary executable of this mac app through hopper, as this app keeps on crashing. So I think this particular mac app detects whether debugger is attached to the process or not.

Further this application output's string like WARNING: Detecting crashes is NOT enabled due to running the app with a debugger attached. . This make it clear that it detects debugger's attachement to the process and modifies the control flow.

Hopper

I used local debugger feature available in hopper to run the executables.

So is it possible to hide my debugger from this process ? If yes then I'm curious to know how .

Are there any debugger hiding plugins available for hopper disassembler ?

From where should I start to look for isDebuggerAtached() checks in the assembly, since it's always hard to find the starting point.

Jaffer Sheriff
  • 1,444
  • 13
  • 33
  • This question might be better suitable on https://reverseengineering.stackexchange.com/ – Thomas Weller Jun 16 '17 at 09:30
  • "modifies the control flow" - it might just disable the unhandled exception handler, but that's all just a guess. Also, Hopper seems to be not only a Disassembler but also a Debugger. I don't understand why this is tagged "IDA", since this question is not related to IDA as far as I understand. – Thomas Weller Jun 16 '17 at 09:35
  • I don't think this question is specific to Hopper or Ida , I also tried disassembling the same binary with IDA but I got the same result. So I would really appreciate any help in hiding the disassembler from the executable. – Jaffer Sheriff Jun 16 '17 at 10:15
  • IMHO, in the disassembling process, no executable is executed and no debugger is attached. To me it seems more like a debugging issue. The disassembling part is irrelevant. It would possibly happen in any debugger. I'm not very familiar with OSX, but there are tools like [ScyllaHide](https://github.com/nihilus/ScyllaHide) – Thomas Weller Jun 16 '17 at 14:45
  • @ThomasWeller Updated the question. Really thanks for info regarding ScallaHide :) – Jaffer Sheriff Jun 16 '17 at 15:59

0 Answers0